CVE-2026-35616

Analyzed
Published: 04 Apr 2026, 00:38
Last modified:21 Apr 2026, 08:35

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
43.21% HIGH
43% probability -6.05%
KEV
Listed
CIRCL • CISA
2 listings
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

04 Apr 2026, 00:38
Published
Vulnerability first disclosed
06 Apr 2026, 00:00
Added to CIRCL KEV
Added to Known Exploited Vulnerabilities catalog
06 Apr 2026, 00:00
Added to CISA KEV
Fortinet FortiClient EMS Improper Access Control Vulnerability
09 Apr 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
21 Apr 2026, 08:35
Last Modified
Vulnerability information updated

Description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

CVSS Metrics

  • v3.1CRITICALScore: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 43.21% Percentile: 98%

Techniques & Countermeasures

  • CWE-284Improper Access Control

    The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Affected Systems

  • UnknownFortiClientEMS

    7.4.5 | 7.4.6 | ≥ 7.4.5, ≤ 7.4.6

References (2)