Full Report
AL26-007 - Vulnerability impacting Fortinet FortiClientEMS - CVE-2026-35616
Analysis Summary
# Vulnerability: Fortinet FortiClientEMS Remote Code Execution via Improper Access Control
## CVE Details
- **CVE ID:** CVE-2026-35616
- **CVSS Score:** Critical (Numerical score not explicitly provided in text, but categorized as "Critical" and listed in CISA KEV)
- **CWE:** CWE-284 (Improper Access Control)
## Affected Systems
- **Products:** Fortinet FortiClient Endpoint Management Server (EMS)
- **Versions:**
- 7.4.5
- 7.4.6
- **Configurations:** Systems running affected versions of EMS used for centralized security management of endpoint agents. FortiClientEMS 7.2 and prior are reportedly not affected.
## Vulnerability Description
CVE-2026-35616 is an improper access control vulnerability occurring within the API authentication and authorization mechanisms of FortiClientEMS. The flaw allows an unauthenticated, remote attacker to bypass security controls. By sending specially crafted requests to the EMS server, an attacker can achieve unauthorized execution of code or commands on the underlying system.
## Exploitation
- **Status:** **Exploited in the wild.** This vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on April 6, 2026.
- **Complexity:** Low (Implied by the ability to use "crafted requests" against an API).
- **Attack Vector:** Network (Unauthenticated remote access).
## Impact
- **Confidentiality:** High (Unauthorized code execution allows data access).
- **Integrity:** High (Unauthorized command execution allows system modification).
- **Availability:** High (Potential for system takeover or service disruption).
## Remediation
### Patches
Fortinet has released hotfixes for the affected versions and plans a permanent fix in a future release:
- **For version 7.4.5:** Install the specific hotfix provided by Fortinet.
- **For version 7.4.6:** Install the specific hotfix provided by Fortinet.
- **Future Version:** Upgrade to **FortiClientEMS 7.4.7** or above once available.
### Workarounds
- No specific software workarounds were provided in the article. Fortinet recommends applying the hotfixes immediately.
- General mitigation includes isolating web-facing applications and hardening the operating system hosting the EMS.
## Detection
- **Indicators of Compromise:** Look for unauthorized or unusual API requests aimed at the FortiClientEMS management interface.
- **Detection methods and tools:** Monitor network logs for patterns related to administrative API bypass attempts. Organizations should report any discovered suspicious activity to the Canadian Centre for Cyber Security via hxxps[://]www[.]cyber[.]gc[.]ca/en/incident-management.
## References
- Fortinet Advisory (FG-IR-26-099): hxxps[://]www[.]fortiguard[.]com/psirt/FG-IR-26-099
- CISA KEV Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- Canadian Centre for Cyber Security Alert (AL26-007): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/al26-007-vulnerability-impacting-fortinet-forticlientems-cve-2026-35616
- NVD CVE Detail: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-35616