Full Report
Fortinet security advisory (AV26-313)
Analysis Summary
# Vulnerability: FortiClientEMS API Authentication and Authorization Bypass
## CVE Details
- **CVE ID:** CVE-2026-35616
- **CVSS Score:** 9.8 (Critical) - *Based on standard scoring for bypasses of this nature.*
- **CWE:** CWE-287 (Improper Authentication) / CWE-285 (Improper Authorization)
## Affected Systems
- **Products:** FortiClientEMS (Enterprise Management Server)
- **Versions:** 7.4.5 through 7.4.6
- **Configurations:** Systems running the affected versions with the API interface accessible.
## Vulnerability Description
The vulnerability allows a remote, unauthenticated attacker to bypass authentication and authorization mechanisms on the FortiClientEMS API. Due to improper validation of requests, an attacker can gain unauthorized access to administrative functions, potentially leading to full system compromise or the ability to push malicious configurations to managed endpoints.
## Exploitation
- **Status:** **Exploited in the wild.** (Added to CISA KEV Catalog on April 6, 2026).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to EMS database and client info)
- **Integrity:** High (Ability to modify configurations and deploy files)
- **Availability:** High (Potential to disrupt endpoint management)
## Remediation
### Patches
Fortinet recommends upgrading to the following versions or higher:
- **FortiClientEMS 7.4.7** or later (Verify specific patch release notes for version-specific fixes).
### Workarounds
- **Network Segmentation:** Restrict access to the FortiClientEMS administrative and API interfaces to trusted internal IP addresses only.
- **Firewall Rules:** Block external access to the ports used by the EMS API (typically 443 or custom ports) from the public internet.
## Detection
- **Indicators of Compromise:** Monitor web server logs for unusual API calls originating from unknown or external IP addresses, specifically those targeting `/api/` endpoints without valid session tokens.
- **Detection methods and tools:**
- Use vulnerability scanners to identify version 7.4.5/7.4.6.
- Check CISA KEV catalog updates for specific behavioral patterns associated with active exploitation.
## References
- [Fortinet PSIRT Advisory FG-IR-26-099] - hxxps[://]www[.]fortiguard[.]com/psirt/FG-IR-26-099
- [CISA KEV Catalog] - hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- [Canadian Centre for Cyber Security Advisory AV26-313] - hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/fortinet-security-advisory-av26-313