CVE-2026-35616

CriticalCISA KEVActive Exploitation

Published: 04 April 2026

Published

04 April 2026

Modified

06 April 2026

KEV Added

06 April 2026

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.4321 97.5th percentile

Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the improper access control flaw in FortiClientEMS by identifying, prioritizing, and applying vendor patches to prevent exploitation.

SC-7 Boundary Protection good match

prevent

Prevents unauthenticated remote attackers from reaching the vulnerable EMS management interface by monitoring and controlling communications at network boundaries.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to block unauthorized code execution via crafted requests targeting the improper access control vulnerability.

Security SummaryAI

CVE-2026-35616 is an improper access control vulnerability (CWE-284) affecting Fortinet FortiClientEMS versions 7.4.5 through 7.4.6. It enables an unauthenticated attacker to execute unauthorized code or commands by sending crafted requests to the vulnerable component. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact across confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to execute arbitrary code or commands on the affected FortiClientEMS server, potentially leading to full system compromise, data theft, or further lateral movement within the network.

Fortinet's advisory (FG-IR-26-099) and the CISA Known Exploited Vulnerabilities Catalog entry provide guidance on mitigation, including applying vendor patches and implementing network controls to restrict access to the EMS management interface. Security practitioners should review these resources for specific patch versions and workarounds.

This vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild.

Details

CWE(s): CWE-284
KEV Date Added: 06 April 2026

Affected Products

fortinet

forticlientems

7.4.5, 7.4.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-35616 is an improper access control vulnerability in FortiClientEMS enabling unauthenticated remote code execution via crafted requests to the management interface, directly facilitating T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-099
Vendor Advisory, Patch · psirt@fortinet.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35616
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0