Improper Access Control in Fortinet FortiClientEMS Products
CVE-2026-35616
Key Information:
- Vendor
Fortinet
- Status
- Vendor
- CVE Published:
- 4 April 2026
Badges
What is CVE-2026-35616?
CVE-2026-35616 is a vulnerability found within Fortinet's FortiClientEMS products, specifically versions 7.4.5 through 7.4.6. FortiClientEMS is designed to provide endpoint management and security for businesses, helping to ensure that devices meet security policies and are protected from various threats. The identified vulnerability is due to improper access control, which allows unauthenticated attackers to potentially execute unauthorized code or commands by sending specially crafted requests to the system. This weakness poses a considerable risk, as it could enable malicious actors to manipulate security configurations, install malware, or gain unauthorized access to sensitive data, significantly undermining an organization's security posture.
Potential impact of CVE-2026-35616
-
Unauthorized Code Execution: The primary risk associated with this vulnerability is the potential for unauthorized code execution. Attackers could exploit the flaw to run arbitrary commands, which may lead to a full system compromise, allowing them to control devices managed by FortiClientEMS.
-
Data Breaches: The ability to execute commands could facilitate access to sensitive information. This might result in data breaches, leading to exposure of confidential business information and personal data, which can have serious legal and financial implications for organizations.
-
Disruption of Security Operations: Exploiting this vulnerability may allow attackers to alter or disable security measures configured within FortiClientEMS. Such disruption can compromise endpoint security efforts, leaving organizations vulnerable to additional threats and attacks, making incident response and recovery significantly more challenging.
CISA has reported CVE-2026-35616
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-35616 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
FortiClientEMS 7.4.5 <= 7.4.6
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
It Security NewsCVE-2026-35616U.S. CISA adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog - IT Security News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Fortinet FortiClient EMS to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Fortinet FortiClient EMS, tracked as CVE-2026-35616 (CVSS score of…...
3 weeks ago
Fortinet Rushes Emergency Fixes for Exploited Zero-Day
Fortinet issues emergency patches for CVE-2026-35616, a FortiClient EMS zero-day vulnerability that has been exploited in the wild.
3 weeks ago
Fortinet Issues Emergency Patch for FortiClient Zero-Day
The authentication bypass flaw, tracked as CVE-2026-35616, is the latest in a series of Fortinet vulnerabilities that have been exploited in the wild.
3 weeks ago
References
EPSS Score
41% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 🦅
CISA Reported
- 📈
Vulnerability started trending
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 📰
First article discovered by It Security News
Vulnerability published
Vulnerability Reserved