Fortinet released an out-of-band update to address a critical security flaw being exploited in the wild. The weakness affects the FortiClient Endpoint Management Server (EMS) and has been added to the CISA Known Exploitable Vulnerabilities (KEV) list, with guidance for federal agencies to remediate by April 9, 2026.
CVE-2026-35616 is an improper access control vulnerability in Fortinet FortiClient EMS versions 7.4.5 and 7.4.6. The flaw exists in an API endpoint that fails to enforce authentication. Enabling an unauthenticated attacker with network access to send specially crafted HTTP requests that the server processes without verification. Potentially resulting in unauthorized code execution, privilege escalation, and potential full compromise of the EMS host.
FortiClient EMS is a centralized endpoint security management server used to deploy, configure, and monitor security policy across devices running the FortiClient agent. The compromise of EMS does not simply place a threat actor on a standalone server. Rather, the hacker gains control of the platform, including the ability to manage endpoint security configurations and telemetry across all devices in the managed environment.
CVE-2026-35616 affects FortiClient EMS versions 7.4.5 through 7.4.6 and is expected to be fully patched with 7.4.7. In the meantime, FortiNet’s advisory states the hotfix is sufficient to prevent exploitation. Customers do not need to perform any action for FortiClient Cloud and FortiSASE products, as Fortinet has remediated the issue in these products.
Further, it should be noted that CVE-2026-35616 can be chained with a SQL Injection from February 2026, CVE-2026-21643. Attackers exploit the authentication bypass in CVE-2026-35616 to access backend functionality targeted by the SQL injection vulnerability, enabling complete system compromise. Address both vulnerabilities to avoid exposure.
CVE-2026-21643 affects FortiClient EMS version 7.4.4, and upgrading to 7.4.5 is recommended. As 7.4.5 is vulnerable to an access control issue, upgrade from 7.4.4 to 7.4.5, then apply the hotfix. Once version 7.4.7 is released, upgrade again to the fixed release.
| CVE | Impacted | Fix | CVSS | Tenable Plugin |
| CVE-2026-35616 | FortiClient EMS 7.4.5 – 7.4.6 | Apply the hotfix immediately and upgrade to version 7.4.7 upon release | 9.8 | Coming Soon |
| CVE-2026-21643 | FortiClient EMS 7.4.4 | Upgrade to version 7.4.5 and apply the hotfix. Upgrade to version 7.4.7 upon release | 9.8 | 304507 and 115205 |
References:
- Fortinet Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-26-099
- Fortinet- Installing EMS Hotfix on FortiClient EMS 7.4.5: https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484
- Fortinet- Practical Guidance on Installing EMS Hotfix on FortiClient EMS 7.4.6: https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484
- Fortinet SQLi vulnerability: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
- Tenable Advisory: https://www.tenable.com/blog/cve-2026-35616-fortinet-forticlientems-improper-access-control-vulnerability-exploited-in-the
- NIST CVE-2026-35616: http://nvd.nist.gov/vuln/detail/CVE-2026-35616
- NIST CVE-2026-21643: https://nvd.nist.gov/vuln/detail/CVE-2026-21643