CVE-2026-35616

CRITICAL · 9.8 KEV EPSS 88.5%

hype ACTIVE HACK · 87 hack

KEV-listed, working PoC public, active malware campaigns confirmed, urgent vendor patching.

What: Improper access control in Fortinet FortiClientEMS 7.4.5–7.4.6 allows unauthenticated attackers to execute arbitrary code or commands. CVSS 9.8 CRITICAL; EPSS 0.97559.

Why it matters: KEV-listed 2 days after NVD publication (2026-04-06). Active in-the-wild exploitation reported delivering EKZ credential stealer via unauthenticated API access. Multiple credible sources (ArcticWolf, security researchers) confirm malware campaigns targeting FortiClient EMS to steal endpoint credentials. Fortinet patched urgently.

Where it's seen: GitHub PoC published. Security vendor advisories and threat intel reports document active exploitation. Social chatter emphasizes unauthenticated RCE risk and real-world malware delivery chains. Defenders actively triaging compromised EMS instances.

RISK: CRITICAL — Unauthenticated RCE, CVSS 9.8, active exploitation, credential theft campaigns underway.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/29/2026, 12:14:35 PM

Description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

CVSS 3.1 breakdown

Exploitability 3.9 · Impact 5.9

vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack vector: Network
Complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Affected versions

fortinet/forticlientems
- 7.4.5
- 7.4.6

Weaknesses

CWE-284

Vendors

fortinet

Products

forticlientems

References

Third-party advisories · 1

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35616