CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild

AndyC 7 April 2026


Exploitation has been observed for CVE-2026-35616, a critical improper access control zero-day vulnerability affecting Fortinet FortiClientEMS devices.

[…Keep reading]

US tech sector lost jobs in March, stalling growth

US tech sector lost jobs in March, stalling growth

Exploitation has been observed for CVE-2026-35616, a critical improper access control zero-day vulnerability affecting Fortinet FortiClientEMS devices.
Key takeaways:

CVE-2026-35616, an improper access control vulnerability, has been exploited in the wild as a zero-day. 
Public exploit code has been identified and Fortinet products have a long history of targeting by malicious actors. 
Hotfixes have been released by Fortinet and should be applied as soon as possible to protect from this threat.

Background
On April 4, Fortinet published a security advisory (FG-IR-26-099) for CVE-2026-35616, a critical improper access control vulnerability affecting Fortinet FortiClientEMS.

CVE
Description
CVSSv3

CVE-2026-35616
Fortinet FortiClientEMS Improper Access Control Vulnerability
9.1

Analysis
CVE-2026-35616 is a critical improper access control vulnerability affecting Fortinet FortiClientEMS. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code using specially crafted requests which bypass API authentication.
While no attribution has been provided as of the time this blog was published, the advisory from Fortinet confirms that exploitation has been observed. The advisory credits Simo Kohonen from Defused and Nguyen Duc Anh, who reported the vulnerability to Fortinet. On April 4, Defused released a Linkedin post confirming their observations of zero-day exploitation of this flaw.
At the time this blog was published, Tenable Research has classified this flaw as a Vulnerability of Interest according to our Vulnerability Watch classification system.
Historical Exploitation of Fortinet Devices
Fortinet vulnerabilities have historically been common targets for cyber attackers, with 24 Fortinet CVEs currently on the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list, with 13 of those being linked to ransomware campaigns. Targeting of Fortinet flaws have been attributed to a number of threat actors, including Salt Typhoon.
Just over a week ago, Defused reported exploitation in the wild for CVE-2026-21643, SQL injection vulnerability affecting FortiClientEMS. Fortinet’s advisory now reflects that exploitation has been observed but as of April 6, the flaw has not yet been added to the KEV.
At the time this blog was published on April 6, CVE-2026-35616 had not been added to the KEV, however we anticipate that it is likely to be added in the near future.
As Fortinet devices have been popular targets for attackers, the Tenable Research Special Operations Team (RSO) has authored several blogs about vulnerabilities affecting these devices. The following table outlines some of the most impactful Fortinet vulnerabilities in recent years.

Proof of concept
As of April 6, a public proof-of-concept has been identified on GitHub, however Tenable Research has not yet verified the exploit. Given the past exploitation of Fortinet devices and published exploit code for several past vulnerabilities, we anticipate that exploitation will continue to increase as additional exploits are released.
Solution
The following table details the affected and fixed versions of Fortinet FortiClientEMS devices for CVE-2026-35616:

Product Version
Affected Range
Fixed Version

FortiClientEMS 7.2
Not affected
N/A

FortiClientEMS 7.4
7.4.5 through 7.4.6
7.4.7 or above

As of April 6, Fortinet has provided a hotfix for FortiClient EMS 7.4.5 and 7.4.6 to address this vulnerability. Version 7.4.7 has not yet been released, but will be an upcoming release that addresses this vulnerability. Until that release, the hotfix must be applied to be protected against this vulnerability. We recommend reviewing the security advisory as Fortinet may make future updates to the document.
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-35616 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Fortinet devices by using the following subscription:

Get more information
Join on the Tenable Community.
Learn more about , the Exposure Management Platform for the modern attack surface.

*** This is a Security Bloggers Network syndicated blog from Tenable Blog authored by Scott Caveza. Read the original post at: https://www.tenable.com/blog/cve-2026-35616-fortinet-forticlientems-improper-access-control-vulnerability-exploited-in-the

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , ,

What do you feel about this?

More Stories

How to Validate Microsegmentation Policies Before Enforcement

Randall Munroe’s XKCD ‘Little Red Dots’

AndyC 7 April 2026
[un]prompted 2026 – Code Is Free: Securing Software In The Agentic Future

Why I Cancelled Semrush After 7 Years (And Why GEO Is the Only B2B Growth Strategy That Matters Now)

AndyC 7 April 2026
The Google Workspace Blind Spot Every K-12 IT Team Misses

The Google Workspace Blind Spot Every K-12 IT Team Misses

AndyC 7 April 2026
Gartner IAM Summit 2026: Identity Expanded Faster Than Most Programs Did

Gartner IAM Summit 2026: Identity Expanded Faster Than Most Programs Did

AndyC 7 April 2026
The Compliance Cliff: Email Encryption and Data Security Unpacked

The Compliance Cliff: Email Encryption and Data Security Unpacked

AndyC 7 April 2026
8 ways to be more productive in Windows 11

Why Cybersecurity Is the First Step in Preparing Your Company for an IPO

AndyC 7 April 2026

You may have missed

How to Validate Microsegmentation Policies Before Enforcement

Randall Munroe’s XKCD ‘Little Red Dots’

AndyC 7 April 2026
[un]prompted 2026 – Code Is Free: Securing Software In The Agentic Future

Why I Cancelled Semrush After 7 Years (And Why GEO Is the Only B2B Growth Strategy That Matters Now)

AndyC 7 April 2026
US tech sector lost jobs in March, stalling growth

CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild

AndyC 7 April 2026
Attackers Exploit RCE Flaw as 14,000 F5 BIG-IP APM Instances Remain Exposed

Attackers Exploit RCE Flaw as 14,000 F5 BIG-IP APM Instances Remain Exposed

AndyC 7 April 2026
The Google Workspace Blind Spot Every K-12 IT Team Misses

The Google Workspace Blind Spot Every K-12 IT Team Misses

AndyC 7 April 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.