Exploitation of Zero-Day Vulnerability in FortiClient EMS

CVE-2026-35616 could allow an unauthenticated attacker to perform remote code execution (RCE)

Threat ID:: CC-4766
Threat Severity:: High
Published:: 7 April 2026 11:20 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2026-35616 could allow an unauthenticated attacker to perform remote code execution (RCE)

Affected platforms

The following platforms are known to be affected:

Fortinet FortiClientEMS

Version 7.4.5
Version 7.4.6

Threat details

Active exploitation of CVE-2026-35616

Fortinet has reported exploitation of CVE-2026-35616 in the wild, and the US Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog.

The NHS England National CSOC assesses it is almost certain there will be further exploitation in the immediate future.

Introduction

Fortinet has released a security update to address a critical severity vulnerability affecting FortiClient EMS (Endpoint Management Server). FortiClient EMS is a security management solution that enables scalable and centralised management of endpoints running FortiClient.

CVE-2026-35616 is an "improper access control" vulnerability with a CVSSv3 score of 9.1. Successful exploitation could allow an unauthenticated attacker to remotely execute code or commands via crafted requests.

Remediation advice

Affected organisations must review the Fortinet Security Advisory and complete all remediation steps detailed below.

Remediation steps

Type	Step
Patch	Required: Apply the relevant hotfix Organisations must install the hotfix for FortiClient EMS 7.4.5 and 7.4.6 as soon as possible. FortiClient EMS 7.4.5 - https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 FortiClient EMS 7.4.6 - https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 https://fortiguard.fortinet.com/psirt/FG-IR-26-099
	Strongly Recommended: Apply version 7.4.7 when released Fortinet will also include the fix for this issue in the upcoming FortiClient EMS version 7.4.7. Organisations are strongly encouraged to update to version 7.4.7 as soon as it is released. https://fortiguard.fortinet.com/psirt/FG-IR-26-099

Type

Step

Patch

Required: Apply the relevant hotfix

Organisations must install the hotfix for FortiClient EMS 7.4.5 and 7.4.6 as soon as possible.

FortiClient EMS 7.4.5 - https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484

FortiClient EMS 7.4.6 - https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484

https://fortiguard.fortinet.com/psirt/FG-IR-26-099

Strongly Recommended: Apply version 7.4.7 when released

Fortinet will also include the fix for this issue in the upcoming FortiClient EMS version 7.4.7. Organisations are strongly encouraged to update to version 7.4.7 as soon as it is released.

https://fortiguard.fortinet.com/psirt/FG-IR-26-099

Definitive source of threat updates

https://fortiguard.fortinet.com/psirt/FG-IR-26-099

CVE Vulnerabilities

Status Published

CVE-2026-35616

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Last edited: 7 April 2026 11:20 am