Fortinet released an out-of-band update to address a critical security flaw being exploited in the wild. The weakness affects the FortiClient Endpoint Management Server (EMS) and has been added to the CISA Known Exploitable Vulnerabilities (KEV) list, with guidance for federal agencies to remediate by April 9, 2026.
CVE-2026-35616 is an improper access control vulnerability in Fortinet FortiClient EMS versions 7.4.5 and 7.4.6. The flaw exists in an API endpoint that fails to enforce authentication, enabling an unauthenticated attacker with network access to send specially crafted HTTP requests that the server processes without verification. This can result in unauthorized code execution, privilege escalation, and potential full compromise of the EMS host.
FortiClient EMS is a centralized endpoint security management server used to deploy, configure, and monitor security policy across devices running the FortiClient agent. The compromise of EMS does not simply place a threat actor on a standalone server. Rather, the attacker gains control of the platform, including the ability to manage endpoint security configurations and telemetry across all devices in the managed environment.
CVE-2026-35616 affects FortiClient EMS versions 7.4.5 through 7.4.6 and is expected to be fully patched with 7.4.7. In the meantime, Fortinet’s advisory states the hotfix is sufficient to prevent exploitation. Customers do not need to perform any action for FortiClient Cloud and FortiSASE products, as Fortinet has remediated the issue in these products.
Further, it should be noted that CVE-2026-35616 can be chained with a SQL injection vulnerability from February 2026, CVE-2026-21643. Attackers exploit the authentication bypass in CVE-2026-35616 to access backend functionality targeted by the SQL injection vulnerability, enabling complete system compromise. Address both vulnerabilities to avoid exposure.
CVE-2026-21643 affects FortiClient EMS version 7.4.4, and upgrading to 7.4.5 is recommended. As 7.4.5 is vulnerable to an access control issue, upgrade from 7.4.4 to 7.4.5, then apply the hotfix. Once version 7.4.7 is released, upgrade again to the fixed release.
| CVE | Impacted | Fix | CVSS | CWE | Tenable Plugin |
|---|---|---|---|---|---|
| CVE-2026-35616 | FortiClient EMS 7.4.5 – 7.4.6 | Apply the hotfix immediately and upgrade to version 7.4.7 upon release | 9.8 | 284 | Coming soon |
| CVE-2026-21643 | FortiClient EMS 7.4.4 | Upgrade to version 7.4.5 and apply the hotfix. Upgrade to version 7.4.7 upon release | 9.8 | 89 | 304507 and 115205 |
Reference Links
- Fortinet Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-26-099
- Fortinet – Installing EMS Hotfix on FortiClient EMS 7.4.5: https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484
- Fortinet – Practical Guidance on Installing EMS Hotfix on FortiClient EMS 7.4.6: https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484
- Fortinet SQLi vulnerability: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
- Tenable Advisory: https://www.tenable.com/blog/cve-2026-35616-fortinet-forticlientems-improper-access-control-vulnerability-exploited-in-the
- NIST CVE-2026-35616: https://nvd.nist.gov/vuln/detail/CVE-2026-35616
- NIST CVE-2026-21643: https://nvd.nist.gov/vuln/detail/CVE-2026-21643
Glossary
| Term | Description |
|---|---|
| CVE (Common Vulnerabilities and Exposures) | Publicly disclosed identifier assigned to a specific cybersecurity vulnerability. Example: CVE-2025-53770. |
| CWE (Common Weakness Enumeration) | Community-developed list of common software and hardware weakness types that can lead to security vulnerabilities. |
| CVSS (Common Vulnerability Scoring System) | Standardized framework for assessing the severity of vulnerabilities. Scores range from 0.0 to 10.0. |
| EPSS (Exploit Prediction Scoring System) | A model that predicts the likelihood that a vulnerability will be exploited in the wild, often expressed as a percentage. |
| OS (Operating System) | System software that manages hardware, software, and resources, and provides services for applications. Examples: Windows, macOS, Linux. |