CVE-2026-35616
CISA KEVCritical improper access control vulnerability (CWE-284) in Fortinet FortiClient Endpoint Management Server (EMS) versions 7.4.5 and 7.4.6. The flaw resides in the API authentication and authorization layer, enabling unauthenticated remote attackers to completely bypass access controls and execute arbitrary code or commands via specially crafted API requests to the management interface (ports 443 HTTPS and 8013 telemetry). Requires no authentication, no user interaction, and has low attack complexity. Active zero-day exploitation was first recorded by watchTowr on March 31, 2026 — four days before Fortinet published the advisory. Defused Cyber independently confirmed exploitation via their Radar system. CISA added this CVE to the KEV catalog on April 6, 2026 with an unusually tight three-day remediation deadline of April 9, 2026. Shadowserver identified approximately 2,000 exposed FortiClient EMS instances online, concentrated in the United States and Germany. This is the second critical FortiClientEMS vulnerability exploited in rapid succession after CVE-2026-21643. Fortinet released emergency hotfixes 7.4.5.2111 and 7.4.6.2170 with a permanent fix expected in FortiClient EMS 7.4.7. The 7.2.x branch is not affected.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-284
Threats tracking this CVE
- FortiClient EMS Pre-Authentication API Bypass Leading to RCE (CVE-2026-35616) — Active Zero-Day Exploitation — CRITICAL
- CVE-2026-35616: Fortinet FortiClientEMS Pre-Authentication API Bypass Leading to Remote Code Execution (CISA KEV) — CRITICAL
References
- https://fortiguard.fortinet.com/psirt/FG-IR-26-099
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35616