CVE-2026-35616

Published Apr 4, 2026

Last updated 3 hours ago

Exploit known CVSS critical 9.8

Overview

Description: A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Source: psirt@fortinet.com
NVD status: Analyzed
Products: forticlientems

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Known exploits

Data from CISA

Vulnerability name: Fortinet FortiClient EMS Improper Access Control Vulnerability
Exploit added on: Apr 6, 2026
Exploit action due: Apr 9, 2026
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

psirt@fortinet.com: CWE-284

Hype score: Not currently trending

🚨FortiClient EMSのゼロデイ悪用が確認されるホットフィックスも緊急リリース（CVE-2026-35616） ⚠️大規模クレデンシャルハーベスティングキャンペーンでReact2Shellが悪用される（CVE-2025-55182）〜サイバーセキ
@MachinaRecord
6 Apr 2026
213 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:fortinet:forticlientems:7.4.5:*:*:*:*:*:*:*",
            "matchCriteriaId": "7CFAA44F-6B24-4702-93B8-94B703D684D1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:fortinet:forticlientems:7.4.6:*:*:*:*:*:*:*",
            "matchCriteriaId": "4AA9A954-1D6F-4B4D-9670-1DCF14F59737",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Known exploits

Weaknesses

Social media

Configurations

Related CVEs

References