1. Home
  2. Vulnerabilities
  3. CVE-2026-35616
Known Exploited Vulnerability
9.8
CRITICAL CVSS 3.1
CVE-2026-35616
Fortinet FortiClient EMS Improper Access Control Vulnerability - [Actively Exploited]
Overview
Description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Details
INFO

Published Date :

April 4, 2026, 1:16 a.m.

Last Modified :

April 6, 2026, 6:12 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known Ransomware Campaign Use:

Unknown

Notes :

Please adhere to Fortinet's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Fortinet products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as they become available. For more information please see: https://fortiguard.fortinet.com/psirt/FG-IR-26-099 ; https://nvd.nist.gov/vuln/detail/CVE-2026-35616

Impact
Affected Products

The following products are affected by CVE-2026-35616 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Fortinet forticlientems
: Total Affected Vendor : 1 | Products : 1
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL 6abe59d8-c742-4dff-8ce8-9b0ca1073da8
CVSS 3.1 CRITICAL [email protected]
Solution
Update FortiClientEMS to a version that addresses the improper access control vulnerability.
  • Update FortiClientEMS to the latest available version.
  • Apply vendor patches or security advisories.
  • Restrict access to the affected service.
  • Monitor for unauthorized activity.
Public PoC/Exploit Available at Github

CVE-2026-35616 has a 16 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-35616.

URL Resource
https://fortiguard.fortinet.com/psirt/FG-IR-26-099 Vendor Advisory Patch
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35616 US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-35616 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-35616 weaknesses.

CAPEC-19: Embedding Scripts within Scripts Embedding Scripts within Scripts CAPEC-441: Malicious Logic Insertion Malicious Logic Insertion CAPEC-478: Modification of Windows Service Configuration Modification of Windows Service Configuration CAPEC-479: Malicious Root Certificate Malicious Root Certificate CAPEC-502: Intent Spoof Intent Spoof CAPEC-503: WebView Exposure WebView Exposure CAPEC-536: Data Injected During Configuration Data Injected During Configuration CAPEC-546: Incomplete Data Deletion in a Multi-Tenant Environment Incomplete Data Deletion in a Multi-Tenant Environment CAPEC-550: Install New Service Install New Service CAPEC-551: Modify Existing Service Modify Existing Service CAPEC-552: Install Rootkit Install Rootkit CAPEC-556: Replace File Extension Handlers Replace File Extension Handlers CAPEC-558: Replace Trusted Executable Replace Trusted Executable CAPEC-562: Modify Shared File Modify Shared File CAPEC-563: Add Malicious File to Shared Webroot Add Malicious File to Shared Webroot CAPEC-564: Run Software at Logon Run Software at Logon CAPEC-578: Disable Security Software Disable Security Software

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
rael-ivar/caladan-security-advisories

Security advisories published by Caladan Security Studio

Updated: 6 days, 2 hours ago
0 stars 0 fork 0 watcher
Born at : April 23, 2026, 5:16 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
Kalijith7/remediation-prioritization-engine

None

Python

Updated: 3 days, 14 hours ago
0 stars 0 fork 0 watcher
Born at : April 21, 2026, 10:21 a.m. This repo has been linked 5 different CVEs too.
Profile Photo
wa6n3r/CVE-2026-35616

None

Python

Updated: 1 week, 2 days ago
0 stars 1 fork 1 watcher
Born at : April 20, 2026, 6:08 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
endiselmanaj/macos-vuln-check

macOS vulnerability check script - detects 23 recent supply chain attacks and CVEs (Jan-Apr 2026)

Shell

Updated: 1 week, 2 days ago
0 stars 0 fork 0 watcher
Born at : April 20, 2026, 3:45 p.m. This repo has been linked 10 different CVEs too.
Profile Photo
IAwiz87/cisa-kev-browser

Standalone offline browser for the CISA Known Exploited Vulnerabilities (KEV) catalog. No server, no install — open in any browser.

Python HTML

Updated: 1 week, 1 day ago
0 stars 0 fork 0 watcher
Born at : April 20, 2026, 2:15 p.m. This repo has been linked 3 different CVEs too.
Profile Photo
Alaatk/CVE-2026-35616

Fortinet FortiClientEMS improper access control

Python

Updated: 1 week ago
4 stars 1 fork 1 watcher
Born at : April 19, 2026, 9:46 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
keraattin/CVE-2026-35616

CVE-2026-35616 - FortiClient EMS Pre-Authentication API Bypass (CVSS 9.1, CISA KEV). Python & Nmap NSE detection scripts with full technical breakdown. One forged HTTP header bypasses authentication on FortiClient EMS 7.4.5–7.4.6, granting full admin API access to all managed endpoints.

authentication-bypass cybersecurity forticlient fortinet nmap-scripts nse-scripts vulnerability-detection vulnerability-research cve-2026-35616 forticlient-ems

Python Lua

Updated: 2 weeks, 2 days ago
0 stars 0 fork 0 watcher
Born at : April 13, 2026, 6:49 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
jeetpatel5767/Scraper

None

JavaScript HTML CSS

Updated: 2 weeks, 4 days ago
0 stars 0 fork 0 watcher
Born at : April 11, 2026, 5:38 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
packet-noir/kev_rec

Retrieves CVEs added in the last N days from CISA's Known Exploited Vulnerability (KEV) database.

Python

Updated: 1 week, 5 days ago
0 stars 0 fork 0 watcher
Born at : April 8, 2026, 1:52 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
BishopFox/CVE-2026-35616-check

None

Python

Updated: 3 weeks, 1 day ago
0 stars 0 fork 0 watcher
Born at : April 6, 2026, 9:04 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
fevar54/forticlient_ems_cve_2026_35616_poc.py

None

Python

Updated: 3 weeks, 2 days ago
0 stars 0 fork 0 watcher
Born at : April 6, 2026, 3:24 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
fevar54/CVE-2026-35616-detector.py

This tool detects if a FortiClient EMS server is vulnerable to **CVE-2026-35616**, a critical improper access control vulnerability affecting versions **7.4.5 through 7.4.6**.

Python

Updated: 3 weeks, 2 days ago
0 stars 0 fork 0 watcher
Born at : April 6, 2026, 3:16 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
z3r0h3ro/CVE-2026-35616-poc

None

Updated: 2 weeks, 6 days ago
2 stars 0 fork 0 watcher
Born at : April 4, 2026, 4:06 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
0xBlackash/CVE-2026-35616

CVE-2026-35616

Python

Updated: 3 weeks, 4 days ago
0 stars 0 fork 0 watcher
Born at : April 4, 2026, 8:43 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
myseq/tracker

Security Tracker

Python

Updated: 4 days, 21 hours ago
0 stars 0 fork 0 watcher
Born at : April 3, 2026, 11 a.m. This repo has been linked 10 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-35616 vulnerability anywhere in the article.

  • The Hacker News
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet

Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai-botnet variants on compromised devices, according to findings from Fortinet FortiGuar ... Read more

Published Date: Apr 18, 2026 (1 week, 4 days ago)
  • The Hacker News
Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploi ... Read more

Published Date: Apr 17, 2026 (1 week, 5 days ago)
  • The Hacker News
Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation

A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). To tha ... Read more

Published Date: Apr 17, 2026 (1 week, 5 days ago)
  • The Hacker News
ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories

You know that feeling when you open your feed on a Thursday morning and it's just... a lot? Yeah. This week delivered. We've got hackers getting creative in ways that are almost impressive if you igno ... Read more

Published Date: Apr 16, 2026 (1 week, 6 days ago)
  • The Hacker News
Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution

Cisco has announced patches to address four critical security flaws impacting Identity Services and Webex Services that could result in arbitrary code execution and allow an attacker to impersonate an ... Read more

Published Date: Apr 16, 2026 (1 week, 6 days ago)
  • The Register
Patch these critical Fortinet sandbox bugs that let attackers bypass login, run commands over HTTP

Watch out for more Fortinet vulns! Two critical bugs in Fortinet's sandbox could allow unauthenticated attackers to bypass authentication or execute unauthorized code on vulnerable systems. Luckily, t ... Read more

Published Date: Apr 15, 2026 (2 weeks ago)
  • The Hacker News
Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover

A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild. The vulnerability in question is CVE-20 ... Read more

Published Date: Apr 15, 2026 (2 weeks ago)
  • The Hacker News
April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More

A number of critical vulnerabilities impacting products from Adobe, Fortinet, Microsoft, and SAP have taken center stage in April's Patch Tuesday releases. Topping the list is an SQL injection vulnera ... Read more

Published Date: Apr 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
Adobe Rushes Patches for Critical ColdFusion RCE and Security Bypasses

Adobe has released an urgent set of security updates to address multiple vulnerabilities within its ColdFusion 2025 and 2023 versions. The patches resolve a range of critical and moderate security gap ... Read more

Published Date: Apr 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
Critical 9.1 Flaws Hit Fortinet FortiSandbox

Fortinet has issued an urgent advisory regarding two critical vulnerabilities in its FortiSandbox platform—vulnerabilities that could allow unauthenticated attackers to bypass security entirely and se ... Read more

Published Date: Apr 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
Active SharePoint Spoofing and Legacy Office RCE: CISA Alerts on New KEV Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog, sounding a fresh warning about two high-risk security flaws currently being ... Read more

Published Date: Apr 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
25 Million Users at Risk: Fastify Publicly Discloses PoC Exploit for Single-Space Security Bypass

In the world of web performance, Fastify is a heavyweight, boasting over 25 million monthly downloads and a reputation for being one of the fastest frameworks available. However, a newly disclosed vul ... Read more

Published Date: Apr 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
OpenStack Keystone Flaw Grants Access to Disabled LDAP Users

In the complex machinery of cloud identity management, a single misinterpretation of data can lead to a significant security breach. A recently disclosed vulnerability in OpenStack Keystone, the prima ... Read more

Published Date: Apr 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
Urgent Patch Alert: SharePoint Spoofing Under Active Attack as Microsoft Releases April 2026 Updates

Microsoft’s April 2026 Patch Tuesday has arrived with a massive security payload, addressing a staggering 163 vulnerabilities, including eight rated as critical. While the volume alone is significant, ... Read more

Published Date: Apr 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
Critical—9 Vulnerabilities in Orthanc DICOM Servers Threaten Medical Data Integrity

A series of critical security flaws has been uncovered in Orthanc, the popular open-source “lightweight Digital Imaging and Communications in Medicine (DICOM) server used to store, process, and retrie ... Read more

Published Date: Apr 14, 2026 (2 weeks, 1 day ago)
  • The Hacker News
Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security

Google has announced the integration of a Rust-based Domain Name System (DNS) parser into the modem firmware as part of its ongoing efforts to beef up the security of Pixel devices and push memory-saf ... Read more

Published Date: Apr 14, 2026 (2 weeks, 1 day ago)
  • Daily CyberSecurity
Juju’s CVSS 10 Flaw Hands Over Master Cloud Credentials

Juju, the popular open-source application orchestration engine, is facing a critical security emergency. A newly discovered vulnerability, carrying the maximum possible severity rating of CVSS 10, all ... Read more

Published Date: Apr 14, 2026 (2 weeks, 1 day ago)
  • Daily CyberSecurity
CVE-2026-4810: Critical 9.3 RCE Flaw Hits Google’s AI Agent Development Kit

A recently disclosed vulnerability in Google’s Agent Development Kit (ADK) serves as a stark reminder that even the most modular frameworks are not immune to classic security pitfalls. Security resear ... Read more

Published Date: Apr 14, 2026 (2 weeks, 1 day ago)
  • Daily CyberSecurity
CVE-2026-4631: Critical 9.8 RCE Flaw in Cockpit Allows Unauthenticated Server Takeover

In the world of Linux server management, ease of use and security are intended to go hand-in-hand. However, a critical vulnerability discovered in Cockpit, the lightweight and popular interactive serv ... Read more

Published Date: Apr 14, 2026 (2 weeks, 1 day ago)
  • Daily CyberSecurity
Critical wolfSSL Flaw Could Allow Attackers to Spoof Trusted Hosts

In the world of embedded systems and resource-constrained environments, wolfSSL (formerly CyaSSL) is the lightweight champion of security. Known for its small footprint—up to 20 times smaller than Ope ... Read more

Published Date: Apr 14, 2026 (2 weeks, 1 day ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-35616 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Apr. 06, 2026

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:a:fortinet:forticlientems:7.4.5:*:*:*:*:*:*:* *cpe:2.3:a:fortinet:forticlientems:7.4.6:*:*:*:*:*:*:*
    Added Reference Type Fortinet, Inc.: https://fortiguard.fortinet.com/psirt/FG-IR-26-099 Types: Patch, Vendor Advisory
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35616 Types: US Government Resource
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Apr. 06, 2026

    Action Type Old Value New Value
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35616
  • New CVE Received by [email protected]

    Apr. 04, 2026

    Action Type Old Value New Value
    Added Description A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-284
    Added Reference https://fortiguard.fortinet.com/psirt/FG-IR-26-099
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 9.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact