CVE-2026-35616KEVEXPLOITEDPATCHED

fortinet · forticlientems

CVE-2026-35616: A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated atta

Description

The flaw can be exploited remotely via crafted requests for remote code execution (RCE) and does not require authentication. The observed execution pattern suggests that threat actors used FortiClient’s own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations. The information-stealing malware deployed in these attacks targets Chrome, Microsoft Edge, Firefox, and other Chromium and Gecko-based browsers for credential, cookie, and autofill data theft. The harvested data is exfiltrated over HTTP.

Affected Products

Vendor	Product	Versions
fortinet	forticlientems	7.4.5

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
fortinet	forticlient	cert_advisory	90%

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-099

Related News (20 articles)

Tier D

SecurityWeek1h ago

Critical FortiClient EMS Vulnerability Exploited in Fresh Attacks

→ No new info (linked only)

Tier D

BleepingComputer15d ago

Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator

→ No new info (linked only)

Tier B

CERT-FR45d ago

Bulletin d'actualité CERTFR-2026-ACT-017 (13 avril 2026)

→ No new info (linked only)

Tier B

CCCS Canada50d ago

AL26-007 - Vulnerability impacting Fortinet FortiClientEMS - CVE-2026-35616

→ No new info (linked only)

Tier B

CCCS Canada51d ago

Fortinet security advisory (AV26-313)

→ No new info (linked only)

Tier B

BSI Advisories51d ago

[NEU] [kritisch] Fortinet FortiClient EMS: Schwachstelle ermöglicht Codeausführung

→ No new info (linked only)

Tier B

CERT-FR51d ago

Vulnérabilité dans Fortinet FortiClientEMS (07 avril 2026)

→ No new info (linked only)

Tier D

Dark Reading51d ago

Fortinet Issues Emergency Patch for FortiClient Zero-Day

→ No new info (linked only)

Tier D

The Record51d ago

Singapore, US warn of latest Fortinet bug being exploited in wild

→ No new info (linked only)

Tier D

BleepingComputer51d ago

CISA orders feds to patch exploited Fortinet EMS flaw by Friday

→ No new info (linked only)

Tier D

The Hacker News52d ago

⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More

→ No new info (linked only)

Tier D

SecurityWeek52d ago

Fortinet Rushes Emergency Fixes for Exploited Zero-Day

→ No new info (linked only)

Tier D

BleepingComputer52d ago

New FortiClient EMS flaw exploited in attacks, emergency patch released

→ No new info (linked only)

Tier D

Heise Security53d ago

Jetzt updaten! Kritische FortiClient-EMS-Lücke wird attackiert

→ No new info (linked only)

Tier D

Help Net Security53d ago

Week in review: Axios npm supply chain compromise, critical FortiClient EMS bugs exploited

→ No new info (linked only)

Tier D

The Hacker News53d ago

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

→ No new info (linked only)

Tier E

Reddit r/cybersecurity53d ago

Fortinet CVE-2026-35616 Actively Exploited as Zero Day

→ No new info (linked only)

Tier D

Help Net Security54d ago

FortiClient EMS zero-day exploited, emergency hotfixes available (CVE-2026-35616)

→ No new info (linked only)

Tier A

Fortinet PSIRT54d ago

API authentication and authorization bypass

→ No new info (linked only)

Tier C

VulDB54d ago

CVE-2026-35616 | Fortinet FortiClientEMS up to 7.4.6 access control (FG-IR-26-099)

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CISA KEV✅ Yes

Actively exploited✅ Yes

Patch available

7.4.7

CWECWE-284, CWE-862

PublishedApr 4, 2026

Last enriched1h agov13

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-26083

CVE-2026-26083: A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, Fo

Trending: 15

CRITICALCVE-2026-44277EXP

CVE-2026-44277: A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticat

Trending: 12

HIGHCVE-2025-53844EXP

CVE-2025-53844: A out-of-bounds write vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0

Trending: 9

MEDIUMCVE-2025-53681

CVE-2025-53681: An improper neutralization of special elements used in an SQL Command ("SQL Injection&") vulnerability [CWE-89] vulnerab

Trending: 9

MEDIUMCVE-2025-53870EXP

CVE-2025-53870: An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet

Trending: 8

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 4, 2026

Added to CISA KEV

Apr 4, 2026

Discovered by ZDM

Apr 4, 2026

Updated: affectedVersions, exploitAvailable, activelyExploited, patchAvailable

Apr 4, 2026

Updated: affectedVersions

Apr 5, 2026

Updated: description, tags

Apr 5, 2026

Updated: description, iocs, tags

Apr 5, 2026

Updated: affectedVersions, patchAvailable

Apr 6, 2026

Updated: tags

Apr 6, 2026

Updated: description, affectedVersions, tags

Apr 6, 2026

Updated: affectedVersions, patchAvailable, tags

Apr 7, 2026

Updated: affectedVersions, patchAvailable, tags

Apr 7, 2026

Updated: cvssEstimate

Apr 13, 2026

Actively Exploited

Apr 21, 2026

Exploit Available

Apr 21, 2026

Patch Available

Apr 21, 2026

Updated: cweIds, tags

May 12, 2026

Updated: description, tags

May 28, 2026

Version History

v13

Last enriched 1h ago

v13Tier D1h ago

Updated description with detailed exploitation methods and added new IoCs and tags related to the information-stealing malware.

descriptiontags

via SecurityWeek

v12Tier D15d ago

Updated description to include active exploitation context and added new CWE IDs and tags related to ransomware and cyber-espionage.

cweIdstags

via BleepingComputer

v11Tier B45d ago

Updated CVSS from 9.1 to 9.8 and noted that the patch is now null.

cvssEstimate

via CERT-FR

v10Tier B50d ago

Added affected version 7.4.7 and updated patch available to 7.4.7, along with a new tag for Zero Trust Network Access (ZTNA).

affectedVersionspatchAvailabletags

via CCCS Canada

v9Tier B51d ago

Updated affected versions to include 7.4.6, added patch version 7.4.6, and included a new tag for elevation of privileges.

affectedVersionspatchAvailabletags

via CERT-FR

v8Tier D51d ago

Updated description with more technical detail, added affected version 7.4.7, and included new tags and IoCs.

descriptionaffectedVersionstags

via BleepingComputer

v7Tier D51d ago

Updated patch availability to 'hotfix' and added new tags related to in-the-wild exploitation and government advisory.