CVE-2026-35616: Fortinet FortiClient EMS Improper Access Control Vulnerability

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
CVE-2026-35616CVSS 9.8CISA KEVFirewall

CVE-2026-35616: Fortinet FortiClient EMS Improper Access Control Vulnerability

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

CVSS
9.8 CRITICAL
EPSS
99.75%
Known exploited
yes
Product
FortiClient EMS

What is known

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Sources