Fortinet FortiClientEMS allows unauthorized code execution via crafted requests

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.8

Fortinet FortiClientEMS allows unauthorized code execution via crafted requests

CVE-2026-35616

Summary

Fortinet's FortiClientEMS versions 7.4.5 and 7.4.6 have a security weakness that lets hackers run unauthorized code or commands without needing a login. This could allow them to access or modify sensitive data. Update to a fixed version to protect your system.

Original title

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Original description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

nvd CVSS3.1 9.8

Vulnerability type

CWE-284 Improper Access Control

https://fortiguard.fortinet.com/psirt/FG-IR-26-099

Published: 4 Apr 2026 · Updated: 4 Apr 2026 · First seen: 4 Apr 2026