Fortinet released a security advisory to address an actively exploited vulnerability impacting FortiClientEMS. Tracked as CVE-2026-35616, the vulnerability has a critical severity rating with a CVSS score of 9.1. Successful exploitation may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Simo Kohonen from Defused and Nguyen Duc Anh discovered and reported the vulnerability to Fortinet.
CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before April 9, 2026.
FortiClient Endpoint Management Server is a security management solution that enables users to manage multiple endpoints (computers) in a centralized, scalable manner. It provides visibility across the network and allows users to assign security profiles to endpoints, automatically manage devices, and troubleshoot FortiClient EMS.
This development follows just days after a recently patched critical vulnerability in FortiClient EMS (CVE-2026-21643, CVSS score: 9.1) that was actively exploited. It’s unclear if the same threat actor is behind both vulnerabilities or if they’re being chained together.
Qualys Threat Intelligence assigned a Qualys Vulnerability Score (QVS) of 95 to CVE-2026-35616. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS scores and external threat indicators like active exploitation, exploit code maturity, CISA known exploits, and more.
Affected Versions
The vulnerability affects FortiClientEMS versions 7.4.5 through 7.4.6.
Mitigation
Users must upgrade to FortiClient EMS 7.4.7 or later to patch the vulnerability.
Please refer to the Fortinet PSIRT Advisory (FG-IR-26-099) for more information.
Workaround
Fortinet suggests customers install the hotfix for FortiClient EMS 7.4.5 and 7.4.6 by following the instructions at:
- https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 – for FortiClientEMS 7.4.5
- https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 – for FortiClientEMS 7.4.6
Qualys Detection
Qualys customers can scan their devices with QIDs 386970 and 531112 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://fortiguard.fortinet.com/psirt/FG-IR-26-099
