CVE-2026-35616
Published: 04 April 2026
Summary
CVE-2026-35616 is a critical-severity Improper Access Control (CWE-284) vulnerability in Fortinet Forticlientems. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).
Deeper analysis
CVE-2026-35616 is an improper access control vulnerability, tracked under CWE-284, that affects Fortinet FortiClientEMS versions 7.4.5 through 7.4.6. The flaw carries a CVSS 3.1 base score of 9.8 and stems from insufficient authorization checks that permit crafted requests to bypass access controls.
An unauthenticated attacker with network access can exploit the issue remotely without user interaction or credentials, resulting in the ability to execute arbitrary code or commands with impacts across confidentiality, integrity, and availability.
Fortinet's advisory FG-IR-26-099 addresses the vulnerability, while CISA has added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation and prompting organizations to apply available updates or mitigations.
The EPSS score reached a peak of 0.4925 after disclosure before settling at a current value of 0.3475, reflecting a material rise that signals growing exploitation interest following public release.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18963
Vulnerability details
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
- CWE(s)
- KEV Date Added
- 06 April 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-35616 is an improper access control vulnerability in FortiClientEMS enabling unauthenticated remote code execution via crafted requests to the management interface, directly facilitating T1190 (Exploit Public-Facing Application).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on all requests to FortiClientEMS, blocking the crafted unauthenticated requests that bypass access controls.
Requires explicit authorization and security controls for all remote network connections to the EMS server, limiting the attack surface for unauthenticated remote exploitation.
Mandates timely application of vendor patches (FG-IR-26-099) that correct the missing authorization logic in versions 7.4.5-7.4.6.