Improper Access Control in Fortinet FortiClientEMS Products
CVE-2026-35616

9.1CRITICAL

Key Information:

Vendor

Fortinet
Status
Forticlientems
Vendor
CVE Published:
4 April 2026

What is CVE-2026-35616?

CVE-2026-35616 is a vulnerability found within Fortinet's FortiClientEMS products, specifically versions 7.4.5 through 7.4.6. FortiClientEMS is designed to provide endpoint management and security for businesses, helping to ensure that devices meet security policies and are protected from various threats. The identified vulnerability is due to improper access control, which allows unauthenticated attackers to potentially execute unauthorized code or commands by sending specially crafted requests to the system. This weakness poses a considerable risk, as it could enable malicious actors to manipulate security configurations, install malware, or gain unauthorized access to sensitive data, significantly undermining an organization's security posture.

Potential impact of CVE-2026-35616

  1. Unauthorized Code Execution: The primary risk associated with this vulnerability is the potential for unauthorized code execution. Attackers could exploit the flaw to run arbitrary commands, which may lead to a full system compromise, allowing them to control devices managed by FortiClientEMS.

  2. Data Breaches: The ability to execute commands could facilitate access to sensitive information. This might result in data breaches, leading to exposure of confidential business information and personal data, which can have serious legal and financial implications for organizations.

  3. Disruption of Security Operations: Exploiting this vulnerability may allow attackers to alter or disable security measures configured within FortiClientEMS. Such disruption can compromise endpoint security efforts, leaving organizations vulnerable to additional threats and attacks, making incident response and recovery significantly more challenging.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

FortiClientEMS 7.4.5 <= 7.4.6

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-099

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.