FortiClient EMS improper access control flaw (CVE-2026-35616)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-35616 is being actively exploited against FortiClient Enterprise Management Server (EMS), putting exposed 7.4.5 and 7.4.6 deployments at risk of remote code execution or command execution. The flaw is an improper access control bug that lets unauthenticated attackers send specially crafted requests to bypass protections. Fortinet has released an emergency hotfix and urges customers to install it immediately, with 7.4.7 due later and 7.2 not affected.
Related Happenings
CISA KEV listing and FCEB patch order for CVE-2026-35616
Public Sector Action
First: 06.04.2026 19:02
Last: 06.04.2026 19:02
Sources 1
How related:
On Monday, CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch FortiClient EMS instances by Thursday midnight, April 9, as mandated by Binding Operational Directive (BOD) 22-01.
About this happening:
**CISA** added **CVE-2026-35616** to the **KEV Catalog** and ordered **FCEB agencies** to patch **FortiClient EMS** by **Thursday midnight, April 9**. The mandate matters because...
CISA KEV listing and FCEB patch order for CVE-2026-35616
Public Sector ActionHow related: On Monday, CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch FortiClient EMS instances by Thursday midnight, April 9, as mandated by Binding Operational Directive (BOD) 22-01.
About this happening: **CISA** added **CVE-2026-35616** to the **KEV Catalog** and ordered **FCEB agencies** to patch **FortiClient EMS** by **Thursday midnight, April 9**. The mandate matters because...
Fortinet FortiClient EMS SQL injection actively exploited SQL injection flaw (CVE-2026-21643)
Vulnerability
First: 30.03.2026 10:48
Last: 30.03.2026 10:48
Sources 1
How related:
Defused also discovered another critical vulnerability in the FortiClient EMS platform last week, also being exploited in the wild.
About this happening:
Active exploitation of **CVE-2026-21643** is putting **Fortinet FortiClient EMS** deployments at risk of **unauthenticated arbitrary code or command execution** on unpatched syste...
Fortinet FortiClient EMS SQL injection actively exploited SQL injection flaw (CVE-2026-21643)
VulnerabilityHow related: Defused also discovered another critical vulnerability in the FortiClient EMS platform last week, also being exploited in the wild.
About this happening: Active exploitation of **CVE-2026-21643** is putting **Fortinet FortiClient EMS** deployments at risk of **unauthenticated arbitrary code or command execution** on unpatched syste...
CISA KEV patch directive for CVE-2025-53521
Advisory/Mitigation
First: 30.03.2026 10:07
Last: 30.03.2026 10:07
Sources 1
About this happening:
CISA added **CVE-2025-53521** to its **KEV catalog** and told **federal agencies** to patch the F5 BIG-IP flaw within **three days**. The directive is urgent because the bug is be...
CISA KEV patch directive for CVE-2025-53521
Advisory/MitigationAbout this happening: CISA added **CVE-2025-53521** to its **KEV catalog** and told **federal agencies** to patch the F5 BIG-IP flaw within **three days**. The directive is urgent because the bug is be...
F5 BIG-IP APM unauthenticated RCE (CVE-2025-53521)
Vulnerability
First: 30.03.2026 10:07
Last: 30.03.2026 10:07
Sources 1
About this happening:
**CVE-2025-53521** is being **actively exploited** against **F5 BIG-IP APM** deployments, creating **unauthenticated remote code execution** risk for exposed systems. The flaw aff...
F5 BIG-IP APM unauthenticated RCE (CVE-2025-53521)
VulnerabilityAbout this happening: **CVE-2025-53521** is being **actively exploited** against **F5 BIG-IP APM** deployments, creating **unauthenticated remote code execution** risk for exposed systems. The flaw aff...
CISA KEV listing for Wing FTP CVE-2025-47813
Public Sector Action
First: 17.03.2026 07:23
Last: 17.03.2026 07:23
Sources 1
About this happening:
CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...
CISA KEV listing for Wing FTP CVE-2025-47813
Public Sector ActionAbout this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...
Timeline
-
05.04.2026 21:45 2 articles · 1mo ago
Fortinet issues emergency hotfix for CVE-2026-35616
Mitigation Patch UpdateFortinet releases an emergency hotfix for CVE-2026-35616, an improper access control flaw in FortiClient EMS 7.4.5 and 7.4.6 that can let unauthenticated attackers execute code or commands via specially crafted requests. Fortinet says FortiClient EMS 7.4.7 will also fix the issue and urges customers to install the hotfix immediately.
Show sources
- New FortiClient EMS flaw exploited in attacks, emergency patch released — www.bleepingcomputer.com — 05.04.2026 21:45
- Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited — www.infosecurity-magazine.com — 07.04.2026 12:26
-
05.04.2026 21:45 1 articles · 1mo ago
Fortinet confirms CVE-2026-35616 active exploitation
Initial DisclosureFortinet confirms that CVE-2026-35616 is actively exploited in the wild, credits Defused with finding a pre-authentication API access bypass in FortiClient EMS, and notes that Shadowserver found more than 2,000 exposed EMS instances online, mostly in the USA and Germany. Defused says the flaw was observed as a zero-day earlier this week before responsible disclosure to Fortinet.
Show sources
- New FortiClient EMS flaw exploited in attacks, emergency patch released — www.bleepingcomputer.com — 05.04.2026 21:45