Improper Access Control in Fortinet FortiClientEMS Products
CVE-2026-35616

9.1CRITICAL

Key Information:

Vendor

Fortinet
Status
Forticlientems
Vendor
CVE Published:
4 April 2026

Badges

🥇 Trended No. 1📈 Trended📈 Score: 13,500💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 34%🦅 CISA Reported📰 News Worthy

What is CVE-2026-35616?

CVE-2026-35616 is a vulnerability found within Fortinet's FortiClientEMS products, specifically versions 7.4.5 through 7.4.6. FortiClientEMS is designed to provide endpoint management and security for businesses, helping to ensure that devices meet security policies and are protected from various threats. The identified vulnerability is due to improper access control, which allows unauthenticated attackers to potentially execute unauthorized code or commands by sending specially crafted requests to the system. This weakness poses a considerable risk, as it could enable malicious actors to manipulate security configurations, install malware, or gain unauthorized access to sensitive data, significantly undermining an organization's security posture.

Potential impact of CVE-2026-35616

  1. Unauthorized Code Execution: The primary risk associated with this vulnerability is the potential for unauthorized code execution. Attackers could exploit the flaw to run arbitrary commands, which may lead to a full system compromise, allowing them to control devices managed by FortiClientEMS.

  2. Data Breaches: The ability to execute commands could facilitate access to sensitive information. This might result in data breaches, leading to exposure of confidential business information and personal data, which can have serious legal and financial implications for organizations.

  3. Disruption of Security Operations: Exploiting this vulnerability may allow attackers to alter or disable security measures configured within FortiClientEMS. Such disruption can compromise endpoint security efforts, leaving organizations vulnerable to additional threats and attacks, making incident response and recovery significantly more challenging.

CISA has reported CVE-2026-35616

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-35616 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

FortiClientEMS 7.4.5 <= 7.4.6

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-35616
Created by Alaatk

CVE-2026-35616
Created by HORKimhab

News Articles

favicon imageIt Security News

New infostealer reaches enterprise devices through FortiClient EMS vulnerability - IT Security News

Attackers are delivering a broad-spectrum infostealer to enterprise computers by exploiting a known vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS). “The [malicious] payload was presented as a Fortinet endpoint update and executed through FortiClient-managed VPN scri...

2 weeks ago

favicon imageHelp Net Security

New infostealer reaches enterprise devices through FortiClient EMS vulnerability - Help Net Security

Attackers are delivering an infostealer to enterprise computers by exploiting a known vulnerability (CVE-2026-35616) in FortiClient EMS.

2 weeks ago

favicon imageWebpronews

Fortinet Flaw Opens Door to Mass Credential Theft via Managed Endpoints

Threat actors are exploiting CVE-2026-35616 in FortiClient EMS to push disguised credential stealers to all managed endpoints at scale. Arctic Wolf and WatchTowr detail how attackers abuse management infrastructure for silent deployment and browser data theft. Organizations must patch immediately.

2 weeks ago

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-099

EPSS Score

34% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 🥇

    Vulnerability reached the number 1 worldwide trending spot

  • 🦅

    CISA Reported

  • 📈

    Vulnerability started trending

  • 💰

    Used in Ransomware

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by It Security News

  • Vulnerability published

  • Vulnerability Reserved

.