07/04/2026

Fortinet FortiClientEMS Vulnerability Exploited in the Wild (CVE-2026-35616)

Fortinet released a security advisory to address an actively exploited vulnerability impacting FortiClientEMS. Tracked as CVE-2026-35616, the vulnerability has a critical severity rating with a CVSS score of 9.1. Successful exploitation may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Simo Kohonen from Defused and Nguyen Duc Anh discovered and reported the vulnerability to Fortinet.

FortiClient Endpoint Management Server is a security management solution that enables users to manage multiple endpoints (computers) in a centralized, scalable manner. It provides visibility across the network and allows users to assign security profiles to endpoints, automatically manage devices, and troubleshoot FortiClient EMS.

This development follows just days after a recently patched critical vulnerability in FortiClient EMS (CVE-2026-21643, CVSS score: 9.1) that was actively exploited. It’s unclear if the same threat actor is behind both vulnerabilities or if they’re being chained together.

Qualys Threat Intelligence assigned a Qualys Vulnerability Score (QVS) of 95 to CVE-2026-35616. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS scores and external threat indicators like active exploitation, exploit code maturity, CISA known exploits, and more.

Affected Versions

The vulnerability affects FortiClientEMS versions 7.4.5 through 7.4.6.

Mitigation

Users must upgrade to FortiClient EMS 7.4.7 or later to patch the vulnerability.

Please refer to the Fortinet PSIRT Advisory (FG-IR-26-099) for more information.

Workaround

Fortinet suggests customers install the hotfix for FortiClient EMS 7.4.5 and 7.4.6 by following the instructions at:

https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 – for FortiClientEMS 7.4.5
https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 – for FortiClientEMS 7.4.6

Qualys Detection

Qualys customers can scan their devices with QID 386970 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://fortiguard.fortinet.com/psirt/FG-IR-26-099

Affected Versions

Mitigation

Workaround

Qualys Detection

You may also like

Oracle Addresses a New Vulnerability Impacting E-Business Suite (CVE-2025-61884)

GoAnywhere Managed File Transfer (MFT) Deserialization Vulnerability (CVE-2025-10035)