Post Date: 2026/04/28

[Vulnerability Alert] Critical Security Vulnerability in FortiClientEMS (CVE-2026-35616)

Subject: [Vulnerability Alert] Critical Security Vulnerability in FortiClientEMS (CVE-2026-35616)

Description:
- Forwarded from Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC) Security Alert: TWCERTCC-200-202604-00000002.
- FortiClientEMS is an endpoint management server under Fortinet used for the centralized management of FortiClient agents, supporting endpoint deployment, configuration, and monitoring. A critical security vulnerability advisory was recently released (CVE-2026-35616, CVSS: 9.8). This is an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specially crafted requests.
Affected Platforms:
- FortiClientEMS versions 7.4.5 to 7.4.6 (inclusive)
Recommended Actions:
- Please update to FortiClientEMS version 7.4.7 (inclusive) or later.
Reference Material:
1. https://www.twcert.org.tw/tw/cp-169-10821-6cda6-1.html

Computer and Communication Center
Network Systems Division