TP-EXP-2026-0004 CVE-2026-35616 critical Patched Under Review

FortiClient EMS API Authentication Bypass — Pre-Auth RCE

CVE CVE-2026-35616 Platform FortiClient EMS 7.4.5–7.4.6 Type RCE

Severity CRITICAL

Status Patched

Zero-Day Confirmed

Disclosed April 4, 2026

Patched April 4, 2026

Days in the Wild 4

Researcher Simo Kohonen (Defused), Nguyen Duc Anh CISA KEV Listed

Severity Assessment

Exploitability: 9/10 — Unauthenticated pre-auth API bypass; no credentials required; public PoC available within 2 days of disclosure
Impact: 9/10 — Full system-level code execution on EMS server with control over all managed FortiClient endpoints
Weaponization Risk: 8.5/10 — Public PoC released April 6, 2026; CISA KEV listed; historically Fortinet vulnerabilities linked to ransomware campaigns
Patch Urgency: 9.5/10 — Emergency hotfix released; CISA mandatory remediation; exposed EMS servers at immediate risk
Detection Coverage: 5/10 — API-level bypass is difficult to distinguish from legitimate traffic without EMS-specific log analysis

Summary

CVE-2026-35616 is a critical improper access control vulnerability in Fortinet FortiClient Enterprise Management Server (EMS) that allows unauthenticated remote attackers to bypass API authentication and execute arbitrary code via specially crafted HTTP requests. Exploitation was first observed on March 31, 2026, with Fortinet releasing an emergency hotfix on April 4. CISA added it to the Known Exploited Vulnerabilities (KEV) list on April 6. A public proof-of-concept (PoC) appeared on GitHub the same day. This is the 24th Fortinet CVE on CISA’s KEV list, with 13 historically linked to ransomware campaigns.

Exploit Chain

Stage 1: Target Identification

Attacker identifies FortiClient EMS 7.4.5 or 7.4.6 instances exposed to network using fingerprinting or passive reconnaissance techniques. Shodan and Censys queries for FortiClient EMS-specific HTTP response headers enumerate exposed instances.

Stage 2: API Authentication Bypass

Specially crafted HTTP requests exploit improper access control in the FortiClient EMS management API, bypassing authentication on the management interface without any credentials. The attacker targets the device manager API endpoint with crafted payloads.

Stage 3: Remote Code Execution

The unauthenticated attacker leverages the API bypass to submit commands to the EMS server with system-level privileges, enabling reverse shell establishment or payload staging.

Stage 4: Lateral Movement via EMS

With full control of the endpoint management server, the attacker pushes malicious policies to all managed FortiClient endpoints, enabling mass lateral movement and persistence across the entire managed fleet.

Detection Guidance

Monitor FortiClient EMS access logs for unauthenticated API requests to management endpoints with anomalous patterns.
Alert on unexpected process execution on EMS server immediately following API calls without valid session tokens.
Review FortiClient EMS logs for FG-IR-26-099 indicators and repeated authentication bypass attempts.
Alert on unexpected endpoint policy changes pushed to managed FortiClient agents; audit policy history for unauthorized modifications.
Block or alert on outbound connections from EMS server to unknown external infrastructure following any suspicious API activity.

Indicators of Compromise

Crafted unauthenticated API requests targeting FortiClient EMS management endpoints without valid session tokens
Unexpected process execution on EMS server following anomalous API calls
Unauthorized endpoint policy changes pushed to managed FortiClient agents
Public PoC exploit code in use since April 6, 2026 — patch immediately if not already applied

Recommended Actions

Apply Emergency Hotfix — Install Fortinet’s hotfix for FortiClient EMS 7.4.5 and 7.4.6 immediately (advisory FG-IR-26-099).
Upgrade to 7.4.7+ — Apply the full patch release when available for complete remediation.
Restrict Management Access — Ensure EMS management interface is not exposed to untrusted networks; restrict API ports via firewall ACLs.
Monitor for Prior Compromise — Review EMS logs for unauthorized API access between March 31 and April 4 (zero-day window).
Endpoint Policy Audit — If compromise suspected, audit FortiClient policies for unauthorized changes enabling lateral movement.

Disclosure Timeline

2026-03-31 — First Exploitation Observed

First exploitation attempts of CVE-2026-35616 detected in the wild targeting FortiClient EMS 7.4.5–7.4.6 deployments.

2026-04-04 — Fortinet Public Disclosure and Hotfix

Fortinet PSIRT publicly discloses CVE-2026-35616 and releases emergency hotfix via advisory FG-IR-26-099. Simo Kohonen (Defused) and Nguyen Duc Anh credited as researchers.

2026-04-04 — Defused Independent Confirmation

Defused confirms zero-day exploitation observations and provides detailed vulnerability mechanics in independent analysis.

2026-04-06 — CISA KEV Addition

CISA adds CVE-2026-35616 to the Known Exploited Vulnerabilities catalog, confirming active exploitation. Federal agencies required to remediate by April 9, 2026.

2026-04-06 — Public PoC Released

Public proof-of-concept exploit code appears on GitHub, significantly broadening the attack surface.

Sources & References

CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-04-06
National Vulnerability Database: CVE-2026-35616 — National Vulnerability Database, 2026-04-04
Fortinet: PSIRT Advisory FG-IR-26-099 — Fortinet, 2026-04-04
Defused: CVE-2026-35616 FortiClient EMS API Authentication Bypass Research — Defused, 2026-04-04
The Hacker News: Fortinet Patches Actively Exploited CVE-2026-35616 — The Hacker News, 2026-04-06