A critical improper access control flaw in Fortinet FortiClient EMS 7.4.5 and 7.4.6 lets unauthenticated attackers execute unauthorized code or commands via crafted requests, and CISA has confirmed it is being actively exploited in the wild.
What Is It
CVE-2026-35616 is an improper access control vulnerability (CWE-284) in Fortinet FortiClient EMS. According to Fortinet's PSIRT advisory, a crafted request can bypass access controls and allow an unauthenticated attacker to execute unauthorized code or commands on affected installations. The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, no privileges or user interaction required, and full impact to confidentiality, integrity, and availability.
Why It Matters
CISA added this CVE to the Known Exploited Vulnerabilities catalog on 2026-04-06, confirming active exploitation in the wild. FortiClient EMS is a centralized management platform for endpoint clients, so a successful exploit hands an unauthenticated attacker a foothold with broad reach across managed endpoints. The combination of no authentication, network attack vector, and full code execution makes this a top-priority patch. Ransomware campaign use is currently listed as "Unknown" by CISA, but the impact profile mirrors flaws routinely picked up by ransomware affiliates.
What's Vulnerable
Per NVD, the following FortiClient EMS versions are confirmed affected:
- Fortinet FortiClient EMS 7.4.5
- Fortinet FortiClient EMS 7.4.6
Internet-exposed FortiClient EMS instances should be considered the highest-risk surface.
Patch Status
Fortinet has published advisory FG-IR-26-099 with guidance for affected deployments. CISA's required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The federal due date was 2026-04-09: an unusually tight three-day window that signals the urgency CISA places on this flaw. CISA also recommends checking for signs of potential compromise on all internet-accessible Fortinet products affected by this vulnerability before assuming a clean patch.