Full Report
Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the wild. The vulnerability, tracked as CVE-2026-35616 (CVSS score: 9.1), has been described as a pre-authentication API access bypass leading to privilege escalation. "An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an
Analysis Summary
# Vulnerability: FortiClient EMS Pre-Authentication API Access Bypass
## CVE Details
- **CVE ID:** CVE-2026-35616
- **CVSS Score:** 9.1 (Critical)
- **CWE:** CWE-284 (Improper Access Control)
## Affected Systems
- **Products:** Fortinet FortiClient EMS (Endpoint Management Server)
- **Versions:** 7.4.5 and 7.4.6
- **Configurations:** Systems exposed to the internet/network-accessible API endpoints.
## Vulnerability Description
CVE-2026-35616 is a critical improper access control vulnerability within the FortiClient EMS API. The flaw allows a remote, unauthenticated attacker to bypass authentication and authorization mechanisms. By sending specially crafted API requests, an attacker can escalate privileges and execute unauthorized code or system commands on the underlying server.
## Exploitation
- **Status:** Exploited in the wild (Zero-day exploitation observed).
- **Complexity:** Low (Targeting pre-authentication API endpoints).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Unauthorized access to data/API).
- **Integrity:** High (Unauthorized execution of commands/code).
- **Availability:** High (Potential for system takeover or service disruption).
## Remediation
### Patches
Fortinet has released out-of-band hotfixes for currently vulnerable versions. Users should update to:
- **FortiClient EMS 7.4.7** (Future permanent fix version).
- **Specific Hotfixes:** Apply the released hotfix for versions **7.4.5** and **7.4.6**.
### Workarounds
No specific configuration workarounds were provided in the article; immediate patching/hotfixing is strongly recommended due to active exploitation.
## Detection
- **Indicators of Compromise:** Monitor for unusual or unauthorized web requests to FortiClient EMS API endpoints, particularly those originating from unexpected external IP addresses.
- **Detection methods and tools:** Check FortiClient EMS logs for unauthorized administrative actions or command execution. Honeypot data (via watchTowr) suggests exploitation attempts began as early as March 31, 2026.
## References
- **Vendor Advisory:** hxxps://fortiguard[.]fortinet[.]com/psirt/FG-IR-26-099
- **Release Notes/Hotfix:** hxxps://docs[.]fortinet[.]com/document/forticlient/7.4.5/ems-release-notes/832484
- **Researcher Credit:** hxxps://x[.]com/DefusedCyber/status/2040315969159995847
- **News Source:** hxxps://thehackernews[.]com/2026/04/fortinet-patches-actively-exploited-cve.html