CVE-2026-35616
Published: 04 April 2026
Summary
CVE-2026-35616 is a critical-severity Improper Access Control (CWE-284) vulnerability in Fortinet Forticlientems. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the improper access control flaw in FortiClientEMS by identifying, prioritizing, and applying vendor patches to prevent exploitation.
Prevents unauthenticated remote attackers from reaching the vulnerable EMS management interface by monitoring and controlling communications at network boundaries.
Enforces approved authorizations to block unauthorized code execution via crafted requests targeting the improper access control vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-35616 is an improper access control vulnerability in FortiClientEMS enabling unauthenticated remote code execution via crafted requests to the management interface, directly facilitating T1190 (Exploit Public-Facing Application).
NVD Description
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Deeper analysisAI
CVE-2026-35616 is an improper access control vulnerability (CWE-284) affecting Fortinet FortiClientEMS versions 7.4.5 through 7.4.6. It enables an unauthenticated attacker to execute unauthorized code or commands by sending crafted requests to the vulnerable component. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact across confidentiality, integrity, and availability.
An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to execute arbitrary code or commands on the affected FortiClientEMS server, potentially leading to full system compromise, data theft, or further lateral movement within the network.
Fortinet's advisory (FG-IR-26-099) and the CISA Known Exploited Vulnerabilities Catalog entry provide guidance on mitigation, including applying vendor patches and implementing network controls to restrict access to the EMS management interface. Security practitioners should review these resources for specific patch versions and workarounds.
This vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild.
Details
- CWE(s)
- KEV Date Added
- 06 April 2026