9.8

CVE-2026-35616

Warning

Media report

EPSS 25.26%
Published 04.04.2026 00:38:35
Last modified 06.04.2026 18:12:57
Source psirt@fortinet.com
CVE watchlists
Login
Open
Login

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Affected products Warnungen 1 Metrics 2 CWE 1 References 12

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Fortinet ≫ Forticlientems Version7.4.5

Fortinet ≫ Forticlientems Version7.4.6

06.04.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Fortinet FortiClient EMS Improper Access Control Vulnerability

Vulnerability

Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Description

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metrics
Type	Source	Score	percentile
EPSS	FIRST.org	25.26%	0.962

CVSS Metrics
Source	Base Score	Exploit Score	Impact Score	Vector string
psirt@fortinet.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://www.bleepingcomputer.com/news/security/cisa-flags-apache-activemq-flaw-as-actively-exploited-in-attacks/

Medienbericht

Bleeping Computer

17.04.2026 11:55

https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/

Medienbericht

Bleeping Computer

14.04.2026 19:52

https://thehackernews.com/2026/04/weekly-recap-axios-hack-chrome-0-day.html

Medienbericht

TheHackersNews

10.04.2026 15:18

https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html

Medienbericht

TheHackersNews

06.04.2026 23:47

https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-fortinet-flaw-exploited-in-attacks-by-friday/

Medienbericht

Bleeping Computer

06.04.2026 18:15

https://www.bleepingcomputer.com/news/security/new-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks/

Medienbericht

Bleeping Computer

05.04.2026 21:07

https://www.heise.de/news/FortiClient-EMS-Kritische-Codeschmuggel-Luecke-wird-angegriffen-11246000.html

Medienbericht

heise Security

05.04.2026 10:48

https://fortiguard.fortinet.com/psirt/FG-IR-26-099

Patch

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35616

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2026-35616

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35616

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35616

EUVD