CVE-2026-35616 is a critical authentication and authorization bypass affecting Fortinet FortiClient EMS versions 7.4.5 through 7.4.6. Rated CVSS 9.1 (Critical), the vulnerability allows unauthenticated remote attackers to bypass API authentication controls and execute privileged operations against the endpoint management server. Functional exploit code is circulating, and Fortinet has confirmed active exploitation in the wild. Organizations running affected versions must treat this as a priority-zero remediation event.
This advisory is classified TLP:GREEN. Recipients may share this information with peers and partner organizations within their community. It should not be posted on publicly accessible websites or shared outside the recipient's community without authorization.
Vulnerability Metadata
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-35616 |
| Fortinet PSIRT Ref | FG-IR-26-099 |
| CWE | CWE-284: Improper Access Control |
| Affected Product | FortiClient EMS 7.4.5 - 7.4.6 |
| CVSS 3.1 Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| CVSS Score | 9.1 Critical |
| Attack Vector | Network (Remote) |
| Authentication | None required |
| User Interaction | None |
| Impact | Confidentiality: High | Integrity: High | Availability: None |
| Exploitation Status | Exploited in the Wild |
| Disclosure Date | March 2026 |
| Discovery Credits | Simo Kohonen (Defused), Nguyen Duc Anh |
Affected Versions
| Version | Status | Action |
|---|---|---|
7.4.6 | Vulnerable | Upgrade to 7.4.7 or later immediately |
7.4.5 | Vulnerable | Upgrade to 7.4.7 or later immediately |
7.4.4 and earlier | Not Affected | No action required (consider upgrade for defense-in-depth) |
7.2.x | Not Affected | No action required |
7.0.x and earlier | Not Affected | No action required (consider upgrade -- EOL branches) |
Organizations running FortiClient EMS 7.4.5 or 7.4.6 must immediately upgrade to version 7.4.7 or later. If an immediate upgrade is not feasible, restrict network access to the EMS management interface (TCP 8013 and 443) through firewall rules or network segmentation until patching is complete.
Technical Analysis
Vulnerability Class: CWE-284 Improper Access Control
CVE-2026-35616 is classified under CWE-284: Improper Access Control. The root cause lies in the FortiClient EMS API layer, where authentication and authorization checks are insufficiently enforced on certain management endpoints. The flaw allows a remote attacker to craft API requests that bypass the expected authentication mechanism entirely, gaining access to privileged administrative functions without presenting valid credentials.
Attack Mechanics
The vulnerability is particularly dangerous due to its minimal exploitation requirements:
- No authentication required -- the attacker does not need valid credentials or session tokens
- No user interaction -- exploitation requires no action from administrators or end users
- Low attack complexity -- the vulnerability can be exploited with standard HTTP requests to the EMS API
- Network-accessible -- any system with network reachability to the EMS management ports (TCP 8013 or 443) is a potential target
Impact Scope
Successful exploitation grants attackers administrative control over the FortiClient EMS server, which serves as the centralized management platform for all enrolled FortiClient endpoints. The downstream impact is severe:
- Enrolled endpoint compromise -- attackers can push malicious policies, disable security controls, or deploy payloads to all managed endpoints
- VPN configuration theft -- FortiClient EMS stores VPN profiles, certificates, and connection configurations that can be extracted for further network access
- Lateral movement enablement -- with control over endpoint management, attackers gain a trusted position to pivot across the enterprise network
- Credential harvesting -- stored credentials and authentication tokens managed by EMS become accessible to the attacker
Exploitation Context
Fortinet has confirmed active exploitation in the wild. Multiple threat intelligence sources report that functional exploit code is circulating in underground forums and has been observed in use by both financially motivated ransomware operators and state-sponsored APT groups. The combination of a low-complexity attack vector with high-impact outcomes makes this vulnerability a prime target for opportunistic scanning and targeted campaigns alike.
Fortinet infrastructure has been repeatedly targeted by sophisticated threat actors. Previous FortiClient EMS vulnerabilities (CVE-2023-48788) were similarly exploited in the wild. The pattern of Fortinet product exploitation by ransomware groups and APTs -- including UNC3886, Volt Typhoon, and various ransomware affiliates -- indicates that CVE-2026-35616 will be aggressively targeted across all exposed instances.
MITRE ATT&CK Mapping
| Technique ID | Name | Tactic | Relevance |
|---|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access | Direct exploitation of the internet-exposed EMS API |
| T1078.003 | Valid Accounts: Local Accounts | Persistence | Creation of new administrative accounts on EMS for persistent access |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation | Leveraging EMS admin access to escalate privileges across managed endpoints |
| T1059 | Command and Scripting Interpreter | Execution | Executing commands on the EMS host or pushing scripts to managed endpoints |
| T1071.001 | Application Layer Protocol: Web Protocols | Command & Control | C2 communication over HTTPS to blend with legitimate EMS traffic |
Detection Guidance
Network-Level Detection
- Monitor API calls to TCP 8013 and 443 -- unusual volume or patterns of requests to the EMS management interface, particularly from external or unexpected source IPs
- Missing authentication headers -- API requests to management endpoints that lack standard authentication tokens or session cookies
- Outbound C2 indicators -- unexpected outbound connections from the EMS server to external IP addresses, particularly over non-standard ports or to known malicious infrastructure
- TLS certificate anomalies -- connections to EMS using unexpected or self-signed certificates that differ from the legitimate deployment
Host-Level Detection
- Child processes from EMS service -- monitor for unexpected child processes spawned by the FortiClient EMS service (e.g.,
cmd.exe,powershell.exe,certutil.exe) - New administrative accounts -- creation of local or domain accounts on the EMS host that were not provisioned through standard change management
- Webshell indicators -- new or modified files in the EMS web directories, particularly
.aspx,.jsp, or.phpfiles - Scheduled tasks and services -- new scheduled tasks or Windows services created on the EMS host that were not part of standard operations
Log Sources
- FortiClient EMS logs -- review EMS application logs for authentication failures followed by successful API operations, configuration changes, or policy modifications
- Windows Event Log 4688 -- process creation events on the EMS host, filtered for child processes of the EMS service account
- NetFlow / network metadata -- flow data showing unusual connection patterns to/from the EMS server, particularly high-volume API interactions or long-duration sessions
- Syslog / SIEM correlation -- centralized log analysis correlating EMS events with endpoint telemetry, firewall logs, and authentication events
Sigma / Detection Logic
A key detection pattern involves monitoring for HTTP response code transitions from 401/403 to 200 on EMS management endpoints within a short time window from the same source IP. This pattern may indicate an attacker probing authentication controls and successfully bypassing them. Correlate with the absence of valid session establishment events in EMS logs.
Organizations should baseline normal EMS API traffic patterns before deploying detection rules. The EMS server legitimately communicates with enrolled endpoints over the same ports targeted by this exploit. Tuning detection rules to reduce false positives requires understanding your specific deployment topology -- including which subnets host enrolled endpoints versus management consoles.
What Needs to Improve
- Expose Only What Is Required: FortiClient EMS management interfaces should never be directly exposed to the internet. Implement strict network segmentation, placing EMS behind a VPN or zero-trust access proxy. Only allow connections from authorized management networks and enrolled endpoint subnets.
- Enforce Multi-Layer Authentication: Relying on a single authentication mechanism at the API layer is insufficient. Deploy multi-factor authentication (MFA) for all administrative access to EMS. Implement certificate-based mutual TLS (mTLS) for API communications where supported.
- Prioritize Patch Management for Security Infrastructure: Security management platforms like EMS must be treated as Tier-0 assets with the shortest acceptable patch windows. The irony of a security product becoming the attack vector is a recurring pattern -- organizations must apply vendor patches to security infrastructure within 24-48 hours of release, not the standard 30-day cycle.
- Enable Comprehensive Logging on the EMS Host: Default logging on FortiClient EMS may not capture the telemetry needed to detect exploitation. Enable verbose API logging, Windows process auditing (Event ID 4688 with command-line logging), and forward all logs to a centralized SIEM with at least 90 days of retention.
- Plan for Assumed Breach: Given the active exploitation status, organizations should not merely patch and move on. Conduct a proactive compromise assessment to determine whether exploitation occurred before patching. Assume breach until evidence indicates otherwise -- rotate credentials, review endpoint policies, and audit administrative accounts.
How Mjolnir Security Can Help
Mjolnir Security provides specialized services to address the full lifecycle of the FortiClient EMS threat -- from immediate incident response to long-term security architecture improvements.
- Emergency Exposure Assessment: Rapid identification of all FortiClient EMS instances across your environment, including version validation, network exposure analysis, and immediate risk scoring. Our team can determine within hours whether your EMS deployment is vulnerable and externally reachable.
- Compromise Assessment: For organizations running affected versions, Mjolnir conducts a thorough forensic review of EMS servers and managed endpoints. We analyze API logs, process execution history, account creation events, and network telemetry to determine whether exploitation has already occurred.
- Incident Response Retainer: Pre-negotiated IR retainer ensures Mjolnir's DFIR team is available within SLA-defined response times when incidents occur. Engage our 24/7 Incident Hotline at +1 833 403 5875 for immediate assistance.
- Detection Engineering: Custom detection rules and hunting queries tailored to your SIEM and EDR stack, specifically designed to identify CVE-2026-35616 exploitation patterns, post-exploitation behaviors, and lateral movement from compromised EMS infrastructure.
- Security Architecture Review: Comprehensive assessment of your endpoint management architecture, network segmentation posture, and security infrastructure exposure. Identifies architectural weaknesses that amplify the impact of vulnerabilities like CVE-2026-35616 and provides actionable remediation roadmaps.
Remediation Checklist
- Identify all FortiClient EMS instances -- enumerate all EMS deployments across the organization, including development, staging, and production environments
- Validate running versions -- confirm whether each instance runs 7.4.5 or 7.4.6; prioritize these for immediate action
- Apply vendor patch -- upgrade affected instances to FortiClient EMS 7.4.7 or later as released by Fortinet
- Restrict network access -- if patching cannot be completed immediately, implement emergency firewall rules to restrict access to EMS management ports (TCP 8013 and 443) to authorized management subnets only
- Conduct compromise assessment -- review EMS logs, Windows Event Logs, and network flow data for indicators of exploitation prior to patching
- Audit administrative accounts -- review all EMS administrative and local accounts for unauthorized additions or modifications
- Rotate credentials -- reset all EMS administrative passwords, API keys, and certificates; rotate VPN credentials stored within EMS
- Validate endpoint policies -- review policies pushed to managed endpoints for unauthorized changes, disabled security features, or injected configurations
- Implement network segmentation -- move EMS management interfaces behind VPN or zero-trust access controls; ensure only authorized subnets can reach management ports
- Deploy enhanced monitoring -- implement the detection rules outlined in this advisory; baseline normal EMS API traffic and configure alerting thresholds
- Enable MFA for EMS administration -- require multi-factor authentication for all administrative access to the EMS console and API
- Conduct architecture review -- evaluate the broader security infrastructure for similar exposure patterns and single points of compromise
References
- "FortiClient EMS - Authentication bypass on administrative API," Fortinet PSIRT, FG-IR-26-099. fortiguard.com/psirt
- "FortiClient EMS 7.4.7 Release Notes," Fortinet Documentation. docs.fortinet.com
- "T1190 - Exploit Public-Facing Application," MITRE ATT&CK. attack.mitre.org
- "CWE-284: Improper Access Control," MITRE CWE. cwe.mitre.org
- "CVE-2026-35616," NIST National Vulnerability Database. nvd.nist.gov
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts