CVE-2026-35616

Published Apr 4, 2026

Last updated 2 months ago

Exploit knownCVSS critical 9.8
Port (22)
Network
Fortinet FortiClientEMS
Firmware
API
Supply chain
IoT
VPN

Overview

Description
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Source
psirt@fortinet.com
NVD status
Analyzed
Products
forticlientems

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Fortinet FortiClient EMS Improper Access Control Vulnerability
Exploit added on
Apr 6, 2026
Exploit action due
Apr 9, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

psirt@fortinet.com
CWE-284

Social media

Hype score
Not currently trending

  1. CVE-2026-35616. Fortinet's Endpoint Manager Is an Open Door: The Double Zero-Day Assault on FortiClient EMS (CVE-2026-35616 + CVE-2026-21643)

    @lyrie_ai

    21 May 2026

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. 00:00 UTC: CVE-2026-35616 disclosed. CISA: CVE-2026-35616 added to Known Exploited Vulnerabilities — Fortinet FortiClient EMS What happened CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-06, signaling in-the-wild exploitation of…

    @lyrie_ai

    15 May 2026

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. Fortinet Critical RCE Flaws Fortinet patches two critical RCE vulnerabilities in FortiSandbox (CVE-2026-44277, CVE-2026-26083) and FortiAuthenticator (CVE-2026-21643, CVE-2026-35616). Unauthenticated attackers can run arbitrary commands or code on affected appliances. No

    @ElusivePrivacy

    12 May 2026

    123 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  4. Top 5 Trending CVEs: 1 - CVE-2025-48757 2 - CVE-2026-34621 3 - CVE-2026-35616 4 - CVE-2026-23654 5 - CVE-2026-5760 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    21 Apr 2026

    254 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 10 Fortinet flaws in CISA KEV since 2025. CVE-2026-35616 is the second unauthenticated RCE in FortiClient EMS this year. At what point does the pattern become the product?

    @0oMalt

    8 Apr 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨FortiClient EMSのゼロデイ悪用が確認される ホットフィックスも緊急リリース(CVE-2026-35616) ⚠️大規模クレデンシャルハーベスティングキャンペーンでReact2Shellが悪用される(CVE-2025-55182) 〜サイバーセキ

    @MachinaRecord

    6 Apr 2026

    253 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. CVE-2026-25254
  2. In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.CVE-2026-46333
  3. openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3.CVE-2026-41070
  4. Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.CVE-2026-7776
  5. Memory corruption while processing IOCTL command when device is in power-save state.CVE-2026-25266

References

Sources include official advisories and independent security research.