Full Report
Fortinet has released an emergency weekend security update for a new critical FortiClient Enterprise Management Server (EMS) vulnerability that is actively exploited in attacks. [...]
Analysis Summary
# Vulnerability: Critical Pre-authentication API Access Bypass in FortiClient EMS
## CVE Details
- **CVE ID:** CVE-2026-35616
- **CVSS Score:** 9.8 (Critical) - *Estimated based on "Critical" rating and pre-auth RCE characteristics*
- **CWE:** CWE-284 (Improper Access Control) / CWE-288 (Authentication Bypass)
## Affected Systems
- **Products:** Fortinet FortiClient Enterprise Management Server (EMS)
- **Versions:**
- 7.4.5
- 7.4.6
- **Configurations:** Systems exposed to the public internet are at highest risk; approximately 2,000 instances are currently indexed globally.
## Vulnerability Description
CVE-2026-35616 is a critical improper access control vulnerability within the FortiClient EMS API. The flaw allows a remote, unauthenticated attacker to bypass authentication and authorization controls entirely. By sending specially crafted requests to the management server, an attacker can achieve unauthorized API access, leading to remote code or command execution (RCE) on the underlying system.
## Exploitation
- **Status:** Actively exploited in the wild (Zero-day).
- **Complexity:** Low (Pre-authentication bypass).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Full access to EMS data and managed client information).
- **Integrity:** High (Ability to execute unauthorized commands or modify system configurations).
- **Availability:** High (Potential for system takeover or service disruption).
## Remediation
### Patches
Fortinet has released emergency hotfixes for the affected versions. Customers are urged to apply these immediately:
- **For FortiClient EMS 7.4.5:** Install the specific hotfix provided in the release notes.
- **For FortiClient EMS 7.4.6:** Install the specific hotfix provided in the release notes.
- **Upcoming:** The fix will be natively integrated into the upcoming **FortiClient EMS 7.4.7** release.
*Note: FortiClient EMS 7.2 is reported as not affected.*
### Workarounds
No specific configuration workarounds were provided in the article. The primary mitigation is the immediate application of the vendor-supplied hotfixes. Organizations should also restrict access to the EMS administration interface to trusted internal networks or via VPN.
## Detection
- **Indicators of Compromise:** Monitor for unusual or unauthorized API requests hitting the EMS management interface, particularly those originating from unexpected external IP addresses.
- **Detection methods and tools:**
- Review FortiClient EMS logs for exploitation attempts associated with API access bypass.
- Utilize external scanning tools (e.g., Shadowserver) to identify if your EMS instance is publicly exposed.
## References
- **Vendor Advisory:** [https[:]//fortiguard[.]fortinet[.]com/psirt/FG-IR-26-099]
- **FortiClient EMS 7.4.5 Release Notes:** [https[:]//docs[.]fortinet[.]com/document/forticlient/7.4.5/ems-release-notes/832484]
- **FortiClient EMS 7.4.6 Release Notes:** [https[:]//docs[.]fortinet[.]com/document/forticlient/7.4.6/ems-release-notes/832484]
- **Researcher Disclosure (Defused):** [https[:]//x[.]com/DefusedCyber/status/2040315969159995847]