Changeflow GovPing Government & Legislation Critical Improper Access Control Vulnerability ...
Urgent Guidance Added Final

Critical Improper Access Control Vulnerability in FortiClientEMS CVE-2026-35616

Favicon for www.ncsc.gov.ie Ireland NCSC Home
Published
Detected
Email

Summary

NCSC Ireland issued a critical vulnerability advisory for CVE-2026-35616 affecting Fortinet FortiClientEMS versions 7.4.5 through 7.4.6. The improper access control vulnerability may allow unauthenticated attackers to execute unauthorized code via crafted requests. The vulnerability carries CVSS Score 1 and is listed in the CISA Known Exploited Vulnerabilities catalog. Affected organisations should install updates with highest priority using the out-of-band hotfix released by Fortinet.

Why this matters

Organisations running FortiClientEMS 7.4.5 or 7.4.6 should treat this as an urgent remediation priority. The KEV catalog listing and CVSS Score 1 severity indicate active exploitation risk. The out-of-band hotfix released by Fortinet should be deployed immediately after testing.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by NCSC-IE on ncsc.gov.ie . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Ireland NCSC Home for new government & legislation regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 3 changes logged to date.

View original document View source feed page

What changed

NCSC Ireland released an advisory on 7 April 2026 identifying CVE-2026-35616, a critical improper access control vulnerability in Fortinet FortiClientEMS affecting versions 7.4.5 through 7.4.6. The flaw may allow an unauthenticated attacker to execute unauthorised code or commands via crafted requests and is listed in the CISA Known Exploited Vulnerabilities catalog.

Organisations running FortiClientEMS 7.4.5 or 7.4.6 should treat this as an urgent remediation priority. Fortinet has released an out-of-band hotfix for both affected versions, with installation instructions available in the Fortinet release notes. Given the KEV catalog listing and CVSS Score 1 severity, patching should proceed as the highest priority after testing.

What to do next

  1. The NCSC strongly recommends installing updates for vulnerable systems with the highest priority, after thorough testing
  2. Affected organisations should review the latest release notes and install the relevant updates from Fortinet

Archived snapshot

Apr 23, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

NCSC Advisory

Fortinet: Critical Improper Access Control Vulnerability in FortiClientEMS CVE-2026-35616

7th, April 2026

STATUS: TLP:CLEAR

Recipients can spread this to the world, the re is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misu se, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol, see https://www.first.org/tlp/. Please treat this document in accorda nce with the TLP assigned.

TLP: CLEAR

Description

CVE ID: CVE-2026-35616 Published: 2026-04-04 Vendor: Fortinet Product: FortiClientEMS : 9. 1CVSS Score 1

Products Affected

Product Version FortiClientEMS 7.4.5 <= 7.4.6

Impact

An imprope r access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to exe cute unauthorized code or co mmands via crafted requests.

Common Weakness Enumeration (CWE) : CWE-284: Improper Access Control 2 Known Exploited Vulnerability (KEV) catalog : Ye s 3 Used by Rans o mware Operators: N/A

https://www.first.org/cvss/1 https://cwe.mitre.org2 https://www.cisa.gov/know n-exploited-vulnerabilities-catalog3

Tom Johnson House, Beggar's Bush, Dublin 4, Ireland, D04 K7X4

T +353 (0)1 678 2333 E info@ncsc.gov.ie

ncsc.gov.ie TLP: CLEAR

TLP: CLEAR

Recommendations

The NCSC strongly recommends installing updates for vulnerable systems with the highest priority, after thorough testing. Affec ted organisations should review the latest release notes and install the relevant updates from Fortinet. As this is a serious vulnerability under active exploitation Fortinet has released an out of band hotfix fo r both versions of the software that are affected. Instructions on how to access these and ins tall them are available at the following links. https://docs.fortinet.com/document/forticlient/7.4.6/ems-relea se-notes/832484 https://docs.fortinet.com/document/forticlient/7.4.5/ems-relea se-notes/832484

https://nvd.nist.gov/vuln/detail/CVE-2026-35616https://www.cve.o rg/CVERecord?id=CVE-2026-35616  https://fortiguard.fortinet.com/psirt/FG-IR-26-099https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-

35616

Tom Johnson House, Beggar's Bush, Dublin 4, Ireland, D04 K7X4

T +353 (0)1 678 2333 E info@ncsc.gov.ie

ncsc.gov.ie TLP: CLEAR

Parties

Fortinet

Related changes

Favicon for www.ncsc.gov.ie Critical Cisco IMC Authentication Bypass CVE-2026-20093 CVSS 9.8
Urgent Apr 23, 2026 Ireland NCSC Home Government & Legislation
Favicon for www.ncsc.gov.ie Critical Cisco FMC Remote Code Execution Vulnerability CVE-2026-20131 CVSS 10.0
Urgent Apr 23, 2026 Ireland NCSC Home Government & Legislation
Favicon for www.csirt.gov.it Apache Kafka Critical Auth Bypass Vulnerability CVE-2026-33557 Affects Versions 4.1.x
Priority review Apr 23, 2026 Italy CSIRT Advisories Data Privacy & Cybersecurity

Get daily alerts for Ireland NCSC Home

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.ncsc.gov.ie
Ireland NCSC Home ncsc.gov.ie/news
Government & Legislation

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from NCSC-IE.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
NCSC-IE
Published
April 7th, 2026
Instrument
Guidance
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
Vulnerability patching Security advisory response Endpoint management software
Threshold
FortiClientEMS versions 7.4.5 through 7.4.6
Geographic scope
Ireland IE

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy

Browse Categories

Agriculture & Food Safety 82 AI Regulation 3 Banking & Finance 505 Consumer Protection 135 Courts & Legal 473 Data Privacy & Cybersecurity 150 Defense & National Security 53 Education 64 Energy 124 Environment 170 Gaming 2 Government & Legislation 524 Healthcare 15 Healthcare & Life Sciences 396 Immigration 11 Insurance 90 Labor & Employment 191 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 75 Securities & Markets 175 Tax 108 Telecom & Technology 55 Trade & Sanctions 162 Transportation 118

Get alerts for this source

We'll email you when Ireland NCSC Home publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!