Changeflow GovPing Data Privacy & Cybersecurity Fortinet FortiClientEMS Improper Access Control...
Urgent Guidance Added Final

Fortinet FortiClientEMS Improper Access Control Vulnerability

Favicon for www.cisa.gov CISA Cybersecurity Advisories
Published April 6th, 2026
Detected April 6th, 2026
Email

Summary

CISA published a critical cybersecurity advisory for CVE-2026-35616, an improper access control vulnerability in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6. The vulnerability carries a CVSS score of 9.1 and is being actively exploited, allowing unauthenticated attackers to execute unauthorized code or commands via crafted requests. CISA has marked this vulnerability in its SSVC and KEV catalogs with active exploitation and total technical impact.

View original document View source feed page

What changed

CISA and Fortinet disclosed CVE-2026-35616, a critical improper access control vulnerability (CWE-284: Escalation of Privilege) affecting FortiClientEMS versions 7.4.5 through 7.4.6. The vulnerability allows unauthenticated remote attackers to execute arbitrary code or commands via crafted requests. With a CVSS 3.1 score of 9.1 (CRITICAL) and confirmed active exploitation, this vulnerability poses severe risk of complete system compromise, data exfiltration, and network pivoting.

Organizations running affected FortiClientEMS versions must immediately apply patches or upgrade to a non-vulnerable version. CISA recommends reviewing Fortinet advisory FG-IR-26-099 for remediation details, auditing systems for indicators of compromise, and implementing network-based detection for exploitation attempts. Federal agencies are required to remediate vulnerabilities cataloged in KEV per BOD 22-01 deadlines.

What to do next

  1. Immediately patch FortiClientEMS to a version beyond 7.4.6 or apply available updates per Fortinet advisory FG-IR-26-099
  2. Audit systems for indicators of compromise and unauthorized access using CISA's KEV catalog entries
  3. Implement network-based detection and monitoring for exploitation attempts targeting FortiClientEMS

Source document (simplified)

Required CVE Record Information

CNA: Fortinet, Inc.

Description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

CWE 1 Total

Learn more
- CWE-284: Escalation of privilege

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 9.1 | CRITICAL | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |

Product Status

Learn more Versions 1 Total

Default Status: unaffected

affected

  • affected from 7.4.5 through 7.4.6

References 1 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-04-06

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2026-04-06 |

Named provisions

CWE-284: Escalation of Privilege SSVC Decision Parameters KEV Catalog Entry

Related changes

Favicon for www.cisa.gov Schneider Electric SCADAPack RemoteConnect Arbitrary Code Execution Vulnerability
Urgent Apr 02, 2026 CISA Cybersecurity Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Endpoint Management System Hardening Advisory Following Stryker Cyberattack
Priority review Apr 02, 2026 CISA Cybersecurity Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Siemens SIDIS Prime Vulnerabilities Advisory
Priority review Mar 13, 2026 CISA Cybersecurity Advisories Data Privacy & Cybersecurity
Favicon for www.parl.ca Bill C-8 Cybersecurity Act - An Act to enact cybersecurity legislation
Priority review Apr 06, 2026 Canada Parliament Bills Legislative
Favicon for www.cssf.lu Active Supply Chain Attack Targeting Axios NPM
Urgent Apr 04, 2026 CSSF News Banking & Finance
Favicon for www.cert.ssi.gouv.fr SUSE Linux Kernel Multiple Vulnerabilities Advisory
Priority review Apr 03, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity

Source

Favicon for www.cisa.gov
CISA Cybersecurity Advisories cisa.gov/cybersecurity-advisories/all.xml
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Published
April 6th, 2026
Instrument
Guidance
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
CVE-2026-35616

Who this affects

Applies to
Technology companies Government agencies
Industry sector
5112 Software & Technology 9261 Government Contracting
Activity scope
Vulnerability Management Enterprise Software Security Incident Response
Threshold
FortiClientEMS versions 7.4.5 through 7.4.6
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF NIST 800-53
Topics
Data Privacy Critical Infrastructure

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 266 Consumer Protection 44 Courts & Legal 361 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 101 Environment 85 Environmental Permits 1 Environmental Regulation 13 Government & Legislation 278 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 113 Legislative 1 Pharma & Drug Safety 104 Public Health 3 Securities & Markets 104 Securities Regulation 15 Tax 66 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA Cybersecurity Advisories publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.