Cyber Resilience

CVE-2026-35616

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 04 April 2026

Published
04 April 2026
Modified
06 April 2026
KEV Added
06 April 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8851 99.8th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-35616 is a critical-severity Improper Access Control (CWE-284) vulnerability in Fortinet Forticlientems. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).

Deeper analysis

CVE-2026-35616 is an improper access control vulnerability, tracked under CWE-284, that affects Fortinet FortiClientEMS versions 7.4.5 through 7.4.6. The flaw carries a CVSS 3.1 base score of 9.8 and stems from insufficient authorization checks that permit crafted requests to bypass access controls.

An unauthenticated attacker with network access can exploit the issue remotely without user interaction or credentials, resulting in the ability to execute arbitrary code or commands with impacts across confidentiality, integrity, and availability.

Fortinet's advisory FG-IR-26-099 addresses the vulnerability, while CISA has added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation and prompting organizations to apply available updates or mitigations.

The EPSS score reached a peak of 0.4925 after disclosure before settling at a current value of 0.3475, reflecting a material rise that signals growing exploitation interest following public release.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

CWE(s)
KEV Date Added
06 April 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-35616 is an improper access control vulnerability in FortiClientEMS enabling unauthenticated remote code execution via crafted requests to the management interface, directly facilitating T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21643Same product: Fortinet Forticlientemsboth on KEV
CVE-2025-59922Same product: Fortinet Forticlientems
CVE-2026-44277Same vendor: Fortinet
CVE-2023-47539Same vendor: Fortinet
CVE-2024-55591Same vendor: Fortinetboth on KEV
CVE-2025-24472Same vendor: Fortinetboth on KEV
CVE-2024-23106Same product: Fortinet Forticlientems
CVE-2025-58034Same vendor: Fortinetboth on KEV
CVE-2025-25257Same vendor: Fortinetboth on KEV
CVE-2025-64446Same vendor: Fortinetboth on KEV

Affected Assets

fortinet
forticlientems
7.4.5, 7.4.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on all requests to FortiClientEMS, blocking the crafted unauthenticated requests that bypass access controls.

AC-17 Remote Access partial match
prevent

Requires explicit authorization and security controls for all remote network connections to the EMS server, limiting the attack surface for unauthenticated remote exploitation.

prevent

Mandates timely application of vendor patches (FG-IR-26-099) that correct the missing authorization logic in versions 7.4.5-7.4.6.

References