Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Critical CVE-2026-35616 is actively exploited, allowing attackers to gain unauthorized access and potentially achieve remote code execution, Patch Immediately!
Image
Gepubliceerd : 07/04/2026
. * Last Update: 07/04/2026
* Affected products:
→ Fortinet FortiClient EMS 7.4.5 through 7.4.6* Type: CWE-284: Improper Access Control
* CVE/CVSS:
- CVE-2026-35616: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Fortiguard Labs - https://fortiguard.fortinet.com/psirt/FG-IR-26-099
Risks
Fortinet FortiClient EMS (Endpoint Management Server) is a centralized platform used to deploy, configure, and monitor FortiClient agents across an organization. This critical vulnerability in FortiClient EMS allows unauthenticated attackers to bypass API authentication and authorization checks and execute arbitrary code or commands on the EMS server.
The impact to confidentiality, integrity, and availability is high. Exploitation could lead to full compromise of the EMS infrastructure, affecting all managed endpoints and potentially enabling lateral movement across enterprise networks.
There is confirmed evidence that this vulnerability has been exploited in the wild.
Description
This weakness allows attackers to conduct the following:
Delivery - The attacker sends a crafted HTTP/API request targeting the vulnerable FortiClient EMS instance, reaching the unauthenticated API interface exposed on the network.
Improper Access Control - FortiClient EMS fails to enforce proper authentication and authorization on specific API endpoints, allowing the crafted request to bypass access controls.
Execution / Post‑Compromise - The crafted request results in execution of unauthorized code or commands on the EMS server, enabling the attacker to obtain control of administrative functionality.
Post‑Compromise Impact - Attackers who successfully exploit this flaw can manipulate or exfiltrate sensitive configuration and policy data, corrupt or disable endpoint protections, disrupt endpoint management services, deploy malicious payloads, and use the compromised EMS as a foothold for further network intrusion or lateral movement.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-35616
CISA - https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35616