CVE-2026-35616 — Fortinet FortiClient EMS Critical Pre-Auth RCE

---

Executive Summary

Fortinet FortiClient Endpoint Management Server (EMS) versions 7.4.5 and 7.4.6 contain a critical improper access control vulnerability (CWE-284) in the API authentication layer. Unauthenticated remote attackers can bypass all authentication and authorization controls via specially crafted API requests, achieving arbitrary code execution without requiring credentials, user interaction, or elevated privileges. Active exploitation confirmed in the wild. Emergency hotfixes released same-day by Fortinet.

Vulnerability Details

CVE ID: CVE-2026-35616
CWE: CWE-284 (Improper Access Control / Escalation of Privilege)
CVSS v3.1: 9.1 (CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Attack Vector: Network
Privileges Required: None
User Interaction: None
Authentication: Not required

Impact:

• Confidentiality: HIGH (full data access)
• Integrity: HIGH (complete system compromise)
• Availability: HIGH (service disruption/DoS)

Affected Versions

Vulnerable:

• FortiClient EMS 7.4.5
• FortiClient EMS 7.4.6

Not Affected (unconfirmed for 8.0 branch):

• FortiClient EMS 7.2.x branch (patched in 7.2.11)
• Earlier versions before 7.4.5

Technical Mechanics

The vulnerability resides in the API authentication and authorization layer of FortiClientEMS. The attack chain:

1. No Authentication Required: Attacker sends a network request directly to the EMS API endpoint without credentials
2. Bypass via Crafted Requests: Specially crafted API payloads bypass authentication checks entirely — the “gatekeeper” fails to validate identity
3. Arbitrary Code Execution: Once authentication is bypassed, attacker gains capability to execute unauthorized code or commands on the EMS server
4. Full Control: Complete compromise of endpoint management operations

Key Technical Factors:

• Low attack complexity (no special conditions needed)
• Remotely exploitable (no physical/local access required)
• Pre-authentication (no credentials, session tokens, or prior access)
• Scope unchanged (attacker gains control within the context of the vulnerable service)

Real-World Implications

For Organizations Running FortiClient EMS:

1. Exposed Infrastructure Risk: Any EMS instance accessible on the network or internet-facing becomes an immediate entry point for unauthorized code execution
2. Endpoint Fleet Compromise: Attackers gain control of endpoint management operations, potentially:

• Deploying malware across all managed devices
• Disabling security software on corporate devices
• Exfiltrating data from endpoint inventory
• Creating persistent backdoors

1. Supply Chain Risk: EMS is frequently deployed in enterprise networks managing thousands of endpoints — breach of EMS = breach of entire device fleet
2. Zero Lateral Movement Required: Unlike typical exploits requiring privilege escalation or lateral movement, this flaw provides direct access to the management tier

Exploitation Status

Defused Cyber: Discovered active exploitation in the wild before public disclosure
Fortinet Confirmation: “Fortinet has observed CVE-2026-35616 to be exploited in the wild and urges vulnerable customers to install the hotfix”
Public PoC: 1 public proof-of-concept exploit available on GitHub as of April 4, 2026
Threat Level: Exploitation difficulty LOW → expected rapid weaponization

Remediation

Immediate Actions (Priority 1):

1. Apply Emergency Hotfix NOW

• FortiClient EMS 7.4.5: Apply hotfix from official release notes
• FortiClient EMS 7.4.6: Apply hotfix from official release notes
• Installation instructions available via Fortinet documentation portal

1. Upgrade to Patched Versions

• FortiClient EMS 7.4.7 or above (upcoming release)
• FortiClient EMS 7.2.11 or above

1. Network-Level Mitigations (Compensating Controls)

• Restrict EMS API access to whitelisted IP ranges only
• Place EMS behind WAF with API request validation
• Implement rate-limiting on API endpoints
• Monitor for suspicious API requests (unusual payloads, request volume spikes)

Detection:

Hunt for indicators of compromise:

• Unusual API requests to FortiClient EMS endpoints (check logs for CWE-284 bypass attempts)
• POST requests to API endpoints without valid authentication headers
• Execution of unauthorized commands on EMS service
• New local user accounts created on EMS server post-compromise
• Outbound connections from EMS to suspicious C2 infrastructure

Forensic Considerations:

• Check EMS access logs for pre-authentication requests during the vulnerability window (Feb-Apr 2026)
• Review endpoint management operations logs for unauthorized policy deployments or device modifications
• Audit all endpoints managed by the compromised EMS for signs of secondary implants or malware

Context: Fortinet’s Recent Vulnerability Pattern

This is the second critical FortiClient EMS zero-day in two weeks:

• CVE-2026-21643 (April 1, 2026): SQL injection in FortiClient EMS allowing unauthenticated RCE
• Patch released months prior but exploitation began only after Bishop Fox analysis published
• Indicates patch adoption lag and researcher-to-attacker TTP escalation
• CVE-2026-35616 (April 4, 2026): API authentication bypass enabling pre-auth RCE
• Active exploitation discovered before patch release
• Same-day hotfix deployment shows Fortinet’s operational response maturity

Pattern Assessment: Endpoint management products remain high-value targets due to their privileged position in enterprise networks. Two critical pre-auth RCEs in 3 days suggests either (1) concentrated security research against Fortinet, or (2) shared vulnerability class being actively hunted across the product.

CVSS Scorecard Justification

9.1 is justified because:

• Network-based attack: Any endpoint with network access to EMS can exploit
• Zero authentication: No credentials, tokens, or prior foothold required
• Low complexity: Standard HTTP/API request patterns, no special conditions
• High confidentiality/integrity/availability: Complete code execution capability
• Functional exploit code exists: Publicly available PoC reduces exploitation difficulty barrier

The only reason it’s not 10.0 is the “Unchanged Scope” (CVSS:3.1/S:U) — the attacker doesn’t breach the scope boundary of the vulnerable service itself, only gains control within that service context. In practical terms, for endpoint management, this distinction is academic.

Vendor Advisory Reference

Fortinet FG-IR-26-099: https://fortiguard.fortinet.com/psirt/FG-IR-26-099

Recommendation Summary

For Security Teams:

1. Identify all FortiClient EMS 7.4.5/7.4.6 instances in your environment
2. Apply emergency hotfix or upgrade to 7.4.7+ immediately — treat as Priority 0
3. If hotfix unavailable, isolate EMS from network access until patched
4. Audit endpoint management operations logs for signs of unauthorized changes during vulnerability window
5. Rotate all credentials used by EMS and all API tokens

For Incident Response:
If compromise is suspected, assume endpoint fleet has potential for secondary implants. Conduct full forensic review of device management operations and review all policy deployments during vulnerability exposure period.