CVE-2026-35616
Description
Critical CVSS 9.8 vulnerability in Fortinet FortiClient EMS 7.4.5-7.4.6 allows unauthenticated RCE. Active exploitation reported; patch immediately.
CPE
| Product | Version Start | Version End (excl.) | Status |
|---|---|---|---|
| forticlientems | 7.4.5 | 7.4.5 | vulnerable |
| forticlientems | 7.4.6 | 7.4.6 | vulnerable |
Related weakness (CWE)
Remediation plan
Apply official patches
Immediately consult Fortinet PSIRT advisory FG-IR-26-099 and apply the latest security patches provided by the vendor to resolve the improper access control flaw.
Update affected systems
Upgrade all FortiClient EMS instances running versions 7.4.5 and 7.4.6 to the recommended secure version (7.4.7 or later) as specified in the vendor documentation.
Restrict access
Isolate the FortiClient EMS management interface from the public internet using a firewall or VPN, and implement strict IP-based access control lists (ACLs) to allow only trusted administrative traffic.
Monitor for exploitation
Audit EMS logs for unauthorized administrative actions, unusual command execution patterns, or suspicious network requests that deviate from established baselines.
Detection Guidance
Monitor network traffic for malformed or suspicious requests targeting FortiClient EMS management ports. Specifically, look for unexpected POST requests or indicators of command injection in application logs. Security teams should also inspect system logs for unauthorized child processes spawned by the EMS service and review endpoint activity for any unexpected policy changes or software deployments that may indicate the management server has been compromised.