CVE-2026-35616: Fortinet FortiClient EMS

What is CVE-2026-35616?

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

CVSS9.8 NVD 3.1

SeverityCRITICAL

Exploitation In the wild In CISA KEV

Triage statusActive Exploit

ActionPatch immediately

CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWECWE-284

NVD published2026-04-04

NVD last modified2026-04-06

CISA Known Exploited Vulnerability

Fortinet FortiClient EMS Improper Access Control Vulnerability

Added to KEV2026-04-06

Federal patch deadline2026-04-09

Known ransomware useUnknown

Affected product

Fortinet FortiClient EMS

Remediation Steps

Apply emergency out-of-band security patch released by Fortinet immediately
Review FortiClient EMS access logs for unauthorized API access attempts
Reset credentials for all administrative and service accounts
Implement network segmentation to restrict FortiClient EMS access
Monitor for indicators of privilege escalation or lateral movement

References

Coverage on defend.network

Vulnerability Priority Report – Week 15 of April 2026 (April 6 – 12)
FortiClient EMS, GitHub secrets, CISA breach: critical exploitation ongoing (2026-05-29)
FortiClient EMS, Gogs RCE actively exploited; CISA GitHub leak exposes AWS keys (2026-05-28)
Iran & DPRK target Microsoft 365; GitHub C2 supply-chain attacks (2026-04-07)
FortiClient RCE exploited; DPRK & Chinese APTs hit EU institutions (2026-04-06)

🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.