# CVE-2026-35616

> Critical improper access control vulnerability (CWE-284) in Fortinet FortiClient Endpoint Management Server (EMS) versions 7.4.5 and 7.4.6. The flaw resides in the API authentication and authorization layer, enabling unauthenticated remote attackers to completely bypass access controls and execute arbitrary code or commands via specially crafted API requests to the management interface (ports 443 HTTPS and 8013 telemetry). Requires no authentication, no user interaction, and has low attack complexity. Active zero-day exploitation was first recorded by watchTowr on March 31, 2026 — four days be

- **CVSS:** 9.8 (CRITICAL)
- **EPSS:** 25.3%
- **CISA KEV:** yes
- **CWE:** CWE-284

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-35616
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp