Fortinet’s FortiClient endpoint management software, meant to harden corporate and government machines, instead exposed them to silent takeover until an emergency fix closed two serious flaws. Government vulnerability records show that CVE-2026-35616 and CVE-2026-21643 both allowed unauthenticated execution of unauthorized code or commands, turning a defensive tool into an attack path. The issues hit versions 7.4.4 through 7.4.6 of FortiClientEMS, forcing organizations that rely on it for protection to scramble for patches.
According to government entries in the National Vulnerability Database, one bug stemmed from improper access control and another from a SQL injection issue, but the outcome was the same: attackers could run their own instructions on managed systems without logging in. Both flaws are tied to CISA’s Known Exploited Vulnerabilities catalog, which signals that real-world attackers moved first and defenders had to catch up.
Why Fortinet rushed an emergency fix after attackers matters now
The immediate risk from CVE-2026-35616 is that improper access control in FortiClientEMS versions 7.4.5 and 7.4.6 enables “unauthenticated execution of unauthorized code/commands,” according to the U.S. National Vulnerability Database. That means an attacker does not need valid credentials to get the product to execute their code, short-circuiting one of the basic assumptions many administrators make about management consoles.
The related CVE-2026-21643 describes a SQL injection issue in FortiClientEMS 7.4.4 that also “allows unauthenticated code/command execution,” according to a separate entry in the National Vulnerability Database. In both cases, the government records state that exploitation does not require authentication, which raises the stakes for any network where FortiClientEMS is reachable from untrusted segments.
CVE-2026-35616 is explicitly listed as being in CISA’s Known Exploited Vulnerabilities catalog, according to the government vulnerability detail page. The CVE-2026-21643 record notes CISA KEV updates that include a date added and a remediation due date, according to the same government source. CISA only adds entries to KEV when there is evidence of exploitation, so those listings indicate that attackers were already abusing these weaknesses before many defenders heard about them.
Both CVEs carry a CVSS score of 7.4 as recorded in the National Vulnerability Database, with Fortinet identified as the CNA that supplied the scoring information. A 7.4 rating places them in the high severity band under the Common Vulnerability Scoring System, according to the government’s NIST program that maintains the NVD. For organizations that depend on FortiClient to enforce endpoint policies, high severity combined with confirmed exploitation leaves little room to delay patching.
The stage‑1 hypothesis that the dual KEV listings hint at coordinated targeting of government networks rests on the way CISA manages its catalog. The CVE-2026-21643 entry notes CISA KEV change history, including a remediation due date, according to the government record, and CVE-2026-35616 is also tagged as in KEV. That pattern suggests that federal defenders saw enough activity to require agencies to fix both issues on a schedule, although the public records do not specify which networks were hit.
The evidence behind Fortinet rushed an emergency fix after attackers
The clearest description of the first flaw comes from the government’s CVE-2026-35616 entry, which labels it as “improper access control in FortiClientEMS 7.4.5–7.4.6 enabling unauthenticated execution of unauthorized code/commands.” The same entry records a CVSS base score of “7.4” and names Fortinet as the CNA that provided the technical details. The inclusion of the phrase “unauthenticated execution” signals that the attack path bypasses normal login checks.
The second flaw, CVE-2026-21643, is described in the National Vulnerability Database as a SQL injection issue in FortiClientEMS 7.4.4 that “allows unauthenticated code/command execution.” The government record again lists a CVSS base score of “7.4” and ties the vulnerability to Fortinet’s FortiClientEMS product line. SQL injection issues typically arise when user-supplied data is not properly sanitized before being used in database queries, but the public entry focuses on the outcome rather than the exact query structure.
Both CVE records are maintained within the National Vulnerability Database operated by the Information Technology Laboratory at NIST, which describes the NVD as a repository of standardized vulnerability information on its own program page. The NVD entries for CVE-2026-35616 and CVE-2026-21643 link back into this broader government effort to catalog software flaws in a consistent, machine-readable format.
The CVE-2026-35616 record explicitly notes that the vulnerability is in CISA’s Known Exploited Vulnerabilities catalog, according to the government detail page. KEV is a list that CISA uses to drive mandatory remediation for federal civilian agencies, which means the presence of this CVE there is not just informational but tied to operational deadlines. For CVE-2026-21643, the NVD entry points to CISA KEV updates, including a date added and a remediation due date, confirming that CISA treated the SQL injection issue as actively exploited as well.
The involvement of multiple NIST properties in documenting these issues highlights how the government’s vulnerability management ecosystem fits together. The main NIST site notes that the NVD aggregates CVE information, while related resources such as the National Checklist Program at ncp.nist.gov and the CCE catalog at ncp.nist.gov/cce support configuration and enumeration efforts that help agencies track exposure. The CVE entries for FortiClientEMS sit within this larger structure of identifiers, scoring, and control mapping.
NIST’s Computer Security Resource Center also maintains mappings between vulnerabilities and security controls through projects like the SP 800‑53 controls search at csrc.nist.gov. By tying CVE records such as CVE-2026-35616 into control catalogs, agencies can see which access control requirements are relevant when they respond to flaws in products like FortiClientEMS.
What remains unresolved for Fortinet rushed an emergency fix after attackers
The public government records around CVE-2026-35616 and CVE-2026-21643 leave several key questions open. The NVD entries do not provide exact dates for when Fortinet first identified the issues, when attackers started exploiting them, or when patches were made available. They also do not quantify how many agencies or private organizations were affected, or how many systems were compromised before the emergency fixes were applied.
There is also no direct statement from Fortinet within the NVD records about customer impact, beyond the technical description supplied as the CNA. The entries confirm that both vulnerabilities allow unauthenticated execution of unauthorized code or commands and that both carry a CVSS score of 7.4, but they do not describe whether Fortinet has changed development or testing practices in response.
The hypothesis that the near‑simultaneous KEV treatment of CVE-2026-35616 and CVE-2026-21643 reflects coordinated targeting of government networks cannot be fully proven from the available data. What is clear from the NVD entries is that CISA added both to its Known Exploited Vulnerabilities catalog and set remediation due dates for at least one of them, which indicates concern about active exploitation. However, the public records do not name specific threat actors, campaigns, or victim sets.
For organizations that rely on FortiClientEMS, the practical takeaway is straightforward even if some of the backstory remains opaque. Any deployment that includes FortiClientEMS versions 7.4.4, 7.4.5, or 7.4.6 falls within the versions affected by the two CVEs, according to the government records, and both flaws permit unauthenticated code execution. The first step for defenders is to confirm product versions across their environment and apply the latest Fortinet updates that address CVE-2026-35616 and CVE-2026-21643, guided by the timelines that CISA has attached in KEV.
The latest publicly available updates in the National Vulnerability Database show that these FortiClientEMS flaws have been cataloged, scored, and tied into CISA’s Known Exploited Vulnerabilities program, but they do not close the loop on how widely the bugs were abused before patches rolled out. The next development to watch is whether additional government advisories or vendor disclosures shed light on exploitation details or prompt broader reviews of access control and SQL handling in similar endpoint management tools.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
