CVE-2026-35616
Published Apr 4, 2026
Last updated 3 months ago
AI description
CVE-2026-35616 is an improper access control vulnerability affecting Fortinet FortiClientEMS versions 7.4.5 through 7.4.6. This flaw enables an unauthenticated attacker to execute unauthorized code or commands by sending specially crafted requests. The vulnerability essentially allows for a bypass of authentication and authorization mechanisms within the FortiClient EMS API. This vulnerability has been actively exploited in the wild, with reports indicating that attackers have leveraged it to deploy information-stealing malware, such as the EKZ Infostealer, disguised as Fortinet patches. The exploitation does not require prior authentication or user interaction, making it a significant concern for organizations utilizing vulnerable FortiClient EMS instances.
- Description
- A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
- Source
- psirt@fortinet.com
- NVD status
- Analyzed
- Products
- forticlientems
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- Fortinet FortiClient EMS Improper Access Control Vulnerability
- Exploit added on
- Apr 6, 2026
- Exploit action due
- Apr 9, 2026
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- psirt@fortinet.com
- CWE-284
- Hype score
- Not currently trending
The JDY Botnet is growing, with 1,500+ devices used to scan, fingerprint, and map exposed services. CVE-2026-35616 affects Fortinet FortiClient EMS. Saner security content is available to help detect and mitigate this vulnerability. Read more here: https://t.co/ck37hfQiee
@SecPod
17 Jun 2026
63 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-35616: Fortinet FortiClient EMS—the centralized command post for managing endpoint security policies across enterprise fleets—has suffered back-to-back critical zero-days in the span of three weeks. CVE-2026-35616 CVSS 9.1 is an unauthenticated pre-authentication…
@lyrie_ai
17 Jun 2026
61 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2026-35616: CVE-2026-35616 CVSS 9.1 is a pre-authentication API bypass in Fortinet FortiClient EMS 7.4.5 and 7.4.6 that grants unauthenticated attackers full administrative RCE on the endpoint management server. The root cause is a dual-read architecture failure:…
@lyrie_ai
16 Jun 2026
46 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
16:26 UTC: CVE-2026-35616 disclosed. CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks 0day Intel: CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks https
@lyrie_ai
8 Jun 2026
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2026-35616: ⚠️ Threat actors are exploiting a critical FortiClient EMS flaw to push credential-stealing malware to entire networks of managed endpoints. CVE-2026-35616 (CVSS 9.1) allows pre-auth bypass and privilege escalation. Read full report:
@lyrie_ai
8 Jun 2026
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
تم استغلال FortiClient EMS عبر CVE-2026-35616 لتسليم EKZ Infostealer المتنكرة كتصحيح Fortinet. FortiClient EMS was exploited via CVE-2026-35616 to deliver EKZ Infostealer disguised as a Fortinet patch. https://t.co/A5lLUPIw4O #FortiClientEMS #CVE
@fad_777
31 May 2026
44 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-35616: Fortinet FortiClient EMS Bug - What It Means for Your Business and How to Respond https://t.co/lJHLe9sKxC
@integ_sec
30 May 2026
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Fortinet FortiClient Enterprise Management Server (EMS) CVE-2026-35616 https://t.co/thQZnNwTfJ
@corerouter
29 May 2026
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks https://t.co/iigCr4W6BX
@PVynckier
29 May 2026
98 Impressions
3 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🔒 #CyberSecurity CVE-2026-35616: FortiClient EMS Exploitation — Detection, Hunting, and Hardenin… "Critical FortiClient EMS RCE flaw (CVE-2026-35616) is under active attack to deploy…" 🔗 https://t.co/W8lw97Ptv0 #CyberSecurity #ThreatIntel #cve #zeroday #patchtuesd
@SecurityAr58409
29 May 2026
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Security News Newsletter - Thursday, May 28, 2026 The cybersecurity landscape continues to evolve with new threats emerging daily. Here are the top 5 critical security stories you need to know about today. 1. FortiClient EMS Flaw (CVE-2026-35616) Actively Exploited for Malware
@gh0st_V3ctbrv
28 May 2026
46 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. https://t.co/zFi984EXCx #Fortinet #ForticlientEMS #Vulnerability
@enetechnologys2
28 May 2026
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
‼️ One Forged Header: Unauthenticated Authentication Bypass in Fortinet FortiClient EMS (CVE-2026-35616) https://t.co/Y2v2dTXQ0g
@DarkWebInformer
28 May 2026
8823 Impressions
8 Retweets
43 Likes
18 Bookmarks
1 Reply
2 Quotes
🤖 Nueva noticia de ciberseguridad: FORTICLIENT CVE-2026-35616 EJECUCIÓN REMOTA Claves técnicas y medidas de mitigación en este boletín ➡️ https://t.co/hxzJ1sQudO📄
@turingbyondu
28 May 2026
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks https://t.co/29d2NKEvEB
@VivekIntel
28 May 2026
361 Impressions
1 Retweet
7 Likes
0 Bookmarks
0 Replies
0 Quotes
Lỗ hổng CVE CVE-2026-35616 rất nghiêm trọng https://t.co/GaPeuR4DTk
@MeowsComCom
28 May 2026
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
NEW THREAT INTEL: EKZ Infostealer abuses FortiClient EMS CVE-2026-35616 (CVSS 9.8) for SYSTEM exec via on_connect VPN. https://t.co/YA319uqh2r #ThreatIntel #Fortinet https://t.co/C2b9vKTwbv
@threadlinqs
28 May 2026
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch https://t.co/xq1QGElUkw
@Dinosn
28 May 2026
423 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch https://t.co/R4OVD37ofR Key Takeaways Arctic Wolf observed evidence of CVE-2026-35616 being exploited against FortiClient EMS deployments. The campaign abused trusted endpoint
@f1tym1
27 May 2026
75 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-35616. Fortinet's Endpoint Manager Is an Open Door: The Double Zero-Day Assault on FortiClient EMS (CVE-2026-35616 + CVE-2026-21643)
@lyrie_ai
21 May 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
00:00 UTC: CVE-2026-35616 disclosed. CISA: CVE-2026-35616 added to Known Exploited Vulnerabilities — Fortinet FortiClient EMS What happened CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-06, signaling in-the-wild exploitation of…
@lyrie_ai
15 May 2026
46 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Fortinet Critical RCE Flaws Fortinet patches two critical RCE vulnerabilities in FortiSandbox (CVE-2026-44277, CVE-2026-26083) and FortiAuthenticator (CVE-2026-21643, CVE-2026-35616). Unauthenticated attackers can run arbitrary commands or code on affected appliances. No
@ElusivePrivacy
12 May 2026
123 Impressions
1 Retweet
1 Like
0 Bookmarks
1 Reply
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2025-48757 2 - CVE-2026-34621 3 - CVE-2026-35616 4 - CVE-2026-23654 5 - CVE-2026-5760 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
21 Apr 2026
254 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
10 Fortinet flaws in CISA KEV since 2025. CVE-2026-35616 is the second unauthenticated RCE in FortiClient EMS this year. At what point does the pattern become the product?
@0oMalt
8 Apr 2026
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨FortiClient EMSのゼロデイ悪用が確認される ホットフィックスも緊急リリース(CVE-2026-35616) ⚠️大規模クレデンシャルハーベスティングキャンペーンでReact2Shellが悪用される(CVE-2025-55182) 〜サイバーセキ
@MachinaRecord
6 Apr 2026
253 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fortinet:forticlientems:7.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7CFAA44F-6B24-4702-93B8-94B703D684D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:forticlientems:7.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "4AA9A954-1D6F-4B4D-9670-1DCF14F59737",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]