CVE-2026-35616

Published Apr 4, 2026

Last updated 3 months ago

Exploit knownCVSS critical 9.8
Network
API
IoT
Supply chain
VPN
Firmware
Port (22)
Fortinet FortiClientEMS

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-35616 is an improper access control vulnerability affecting Fortinet FortiClientEMS versions 7.4.5 through 7.4.6. This flaw enables an unauthenticated attacker to execute unauthorized code or commands by sending specially crafted requests. The vulnerability essentially allows for a bypass of authentication and authorization mechanisms within the FortiClient EMS API. This vulnerability has been actively exploited in the wild, with reports indicating that attackers have leveraged it to deploy information-stealing malware, such as the EKZ Infostealer, disguised as Fortinet patches. The exploitation does not require prior authentication or user interaction, making it a significant concern for organizations utilizing vulnerable FortiClient EMS instances.

Description
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Source
psirt@fortinet.com
NVD status
Analyzed
Products
forticlientems

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Fortinet FortiClient EMS Improper Access Control Vulnerability
Exploit added on
Apr 6, 2026
Exploit action due
Apr 9, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

psirt@fortinet.com
CWE-284

Social media

Hype score
Not currently trending
  1. The JDY Botnet is growing, with 1,500+ devices used to scan, fingerprint, and map exposed services. CVE-2026-35616 affects Fortinet FortiClient EMS. Saner security content is available to help detect and mitigate this vulnerability. Read more here: https://t.co/ck37hfQiee

    @SecPod

    17 Jun 2026

    63 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2026-35616: Fortinet FortiClient EMS—the centralized command post for managing endpoint security policies across enterprise fleets—has suffered back-to-back critical zero-days in the span of three weeks. CVE-2026-35616 CVSS 9.1 is an unauthenticated pre-authentication…

    @lyrie_ai

    17 Jun 2026

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. CVE-2026-35616: CVE-2026-35616 CVSS 9.1 is a pre-authentication API bypass in Fortinet FortiClient EMS 7.4.5 and 7.4.6 that grants unauthenticated attackers full administrative RCE on the endpoint management server. The root cause is a dual-read architecture failure:…

    @lyrie_ai

    16 Jun 2026

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. 16:26 UTC: CVE-2026-35616 disclosed. CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks 0day Intel: CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks https

    @lyrie_ai

    8 Jun 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. CVE-2026-35616: ⚠️ Threat actors are exploiting a critical FortiClient EMS flaw to push credential-stealing malware to entire networks of managed endpoints. CVE-2026-35616 (CVSS 9.1) allows pre-auth bypass and privilege escalation. Read full report:

    @lyrie_ai

    8 Jun 2026

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. تم استغلال FortiClient EMS عبر CVE-2026-35616 لتسليم EKZ Infostealer المتنكرة كتصحيح Fortinet. FortiClient EMS was exploited via CVE-2026-35616 to deliver EKZ Infostealer disguised as a Fortinet patch. https://t.co/A5lLUPIw4O #FortiClientEMS #CVE

    @fad_777

    31 May 2026

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2026-35616: Fortinet FortiClient EMS Bug - What It Means for Your Business and How to Respond https://t.co/lJHLe9sKxC

    @integ_sec

    30 May 2026

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Fortinet FortiClient Enterprise Management Server (EMS) CVE-2026-35616 https://t.co/thQZnNwTfJ

    @corerouter

    29 May 2026

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks https://t.co/iigCr4W6BX

    @PVynckier

    29 May 2026

    98 Impressions

    3 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🔒 #CyberSecurity CVE-2026-35616: FortiClient EMS Exploitation — Detection, Hunting, and Hardenin… "Critical FortiClient EMS RCE flaw (CVE-2026-35616) is under active attack to deploy…" 🔗 https://t.co/W8lw97Ptv0 #CyberSecurity #ThreatIntel #cve #zeroday #patchtuesd

    @SecurityAr58409

    29 May 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Security News Newsletter - Thursday, May 28, 2026 The cybersecurity landscape continues to evolve with new threats emerging daily. Here are the top 5 critical security stories you need to know about today. 1. FortiClient EMS Flaw (CVE-2026-35616) Actively Exploited for Malware

    @gh0st_V3ctbrv

    28 May 2026

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. https://t.co/zFi984EXCx #Fortinet #ForticlientEMS #Vulnerability

    @enetechnologys2

    28 May 2026

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. ‼️ One Forged Header: Unauthenticated Authentication Bypass in Fortinet FortiClient EMS (CVE-2026-35616) https://t.co/Y2v2dTXQ0g

    @DarkWebInformer

    28 May 2026

    8823 Impressions

    8 Retweets

    43 Likes

    18 Bookmarks

    1 Reply

    2 Quotes

  14. 🤖 Nueva noticia de ciberseguridad: FORTICLIENT CVE-2026-35616 EJECUCIÓN REMOTA Claves técnicas y medidas de mitigación en este boletín ➡️ https://t.co/hxzJ1sQudO📄

    @turingbyondu

    28 May 2026

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks https://t.co/29d2NKEvEB

    @VivekIntel

    28 May 2026

    361 Impressions

    1 Retweet

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Lỗ hổng CVE CVE-2026-35616 rất nghiêm trọng https://t.co/GaPeuR4DTk

    @MeowsComCom

    28 May 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. NEW THREAT INTEL: EKZ Infostealer abuses FortiClient EMS CVE-2026-35616 (CVSS 9.8) for SYSTEM exec via on_connect VPN. https://t.co/YA319uqh2r #ThreatIntel #Fortinet https://t.co/C2b9vKTwbv

    @threadlinqs

    28 May 2026

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch https://t.co/xq1QGElUkw

    @Dinosn

    28 May 2026

    423 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  19. FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch https://t.co/R4OVD37ofR Key Takeaways Arctic Wolf observed evidence of CVE-2026-35616 being exploited against FortiClient EMS deployments. The campaign abused trusted endpoint

    @f1tym1

    27 May 2026

    75 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. CVE-2026-35616. Fortinet's Endpoint Manager Is an Open Door: The Double Zero-Day Assault on FortiClient EMS (CVE-2026-35616 + CVE-2026-21643)

    @lyrie_ai

    21 May 2026

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  21. 00:00 UTC: CVE-2026-35616 disclosed. CISA: CVE-2026-35616 added to Known Exploited Vulnerabilities — Fortinet FortiClient EMS What happened CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-06, signaling in-the-wild exploitation of…

    @lyrie_ai

    15 May 2026

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. Fortinet Critical RCE Flaws Fortinet patches two critical RCE vulnerabilities in FortiSandbox (CVE-2026-44277, CVE-2026-26083) and FortiAuthenticator (CVE-2026-21643, CVE-2026-35616). Unauthenticated attackers can run arbitrary commands or code on affected appliances. No

    @ElusivePrivacy

    12 May 2026

    123 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  23. Top 5 Trending CVEs: 1 - CVE-2025-48757 2 - CVE-2026-34621 3 - CVE-2026-35616 4 - CVE-2026-23654 5 - CVE-2026-5760 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    21 Apr 2026

    254 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  24. 10 Fortinet flaws in CISA KEV since 2025. CVE-2026-35616 is the second unauthenticated RCE in FortiClient EMS this year. At what point does the pattern become the product?

    @0oMalt

    8 Apr 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. 🚨FortiClient EMSのゼロデイ悪用が確認される ホットフィックスも緊急リリース(CVE-2026-35616) ⚠️大規模クレデンシャルハーベスティングキャンペーンでReact2Shellが悪用される(CVE-2025-55182) 〜サイバーセキ

    @MachinaRecord

    6 Apr 2026

    253 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations