Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2026-35616: FortiClient EMS API Auth Bypass Enables Command Execution
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution
CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution
Jun 09, 2026
SOCRadar® Cyber Intelligence Inc. | CISA KEV Highlights LiteLLM RCE (CVE-2026-42271) & Check Point VPN Auth Bypass (CVE-2026-50751)
CISA KEV Highlights LiteLLM RCE (CVE-2026-42271) & Check Point VPN Auth Bypass (CVE-2026-50751)
Jun 09, 2026
SOCRadar® Cyber Intelligence Inc. | Shai-Hulud Hades PyPI Campaign: 19 Packages Trojanized via Wheel Startup Hooks
Shai-Hulud Hades PyPI Campaign: 19 Packages Trojanized via Wheel Startup Hooks
Jun 09, 2026
SOCRadar® Cyber Intelligence Inc. | Handala Claims It Disrupted Israeli Radar Systems: Here's What We Actually Know
Handala Claims It Disrupted Israeli Radar Systems: Here's What We Actually Know
Jun 08, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
Jun 05, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Apr 06, 2026
5 Mins Read
Moon

CVE-2026-35616: FortiClient EMS API Auth Bypass Enables Command Execution

Fortinet disclosed a critical vulnerability in Fortinet FortiClient EMS (Enterprise Management Server) tracked as CVE-2026-35616. Fortinet also says it has observed in-the-wild exploitation and released out-of-band hotfix guidance for affected builds. This post breaks down what CVE-2026-35616 is, who is affected, and what defenders should do now.

What Is CVE-2026-35616?

CVE-2026-35616 is a CWE-284 Improper Access Control vulnerability in the FortiClient EMS API. Fortinet describes it as an API authentication and authorization bypass, meaning certain requests can reach protected functionality without a valid login or without passing expected authorization checks.

The assigned CVSS v3 score is 9.1 (Critical). The main drivers are no authentication required and the possibility of unauthorized code/command execution.

 

Details of CVE-2026-35616 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-35616 (SOCRadar Vulnerability Intelligence)

Which FortiClient EMS Versions Are Affected?

Fortinet’s advisory lists the affected versions as:

  • FortiClientEMS 7.4.5
  • FortiClientEMS 7.4.6

Fortinet also notes that FortiClientEMS 7.2 is not affected (per the advisory’s affected version table). If you are on the 7.4 branch, treat 7.4.5 to 7.4.6 as the immediate triage target.

How Does This API Authentication Bypass Turn Into Real Impact?

Fortinet’s summary is brief but high impact: an unauthenticated attacker may be able to bypass API authentication/authorization and execute unauthorized code or commands via crafted requests. Fortinet also lists the impact as escalation of privilege.

From a defender’s perspective, the risk is not limited to “someone can call an API.” FortiClient EMS is a centralized management system, so unauthorized access inside EMS can carry a large blast radius. Even without public details on the exact endpoints, assume a successful bypass could allow an attacker to:

  • Interact with EMS management functions without a valid session
  • Escalate privileges within EMS workflows (as characterized in third-party reporting)
  • Execute commands or code in the EMS context if the reachable functionality supports it

Because exploitation is described as unauthenticated, internet exposure is the key multiplier. An EMS instance reachable from untrusted networks is easier to find via scanning and easier to target at scale.

Is CVE-2026-35616 Being Exploited in the Wild?

Fortinet’s advisory text says it has observed exploitation in the wild and urges customers to install the hotfix. That should drive prioritization. The vendor’s decision to publish out-of-band hotfix guidance matches an urgent, real-world risk.

Separate third-party reporting also pointed to early exploitation signals observed in late March 2026, including honeypot activity.

How Broad Is Exposure Right Now?

Shadowserver identified roughly 2,000FortiClient EMS instances reachable worldwide, with the United States and Germany accounting for the largest visible share. That matters even more because attackers have been exploiting not only CVE-2026-35616, but also CVE-2026-21643, an earlier critical FortiClient EMS flaw.

Exposure map for FortiClient Enterprise Management Server (Shadowserver)

Exposure map for FortiClient Enterprise Management Server (Shadowserver)

CVE-2026-21643 is a pre-auth SQL injection issue in the administrative interface that can let a remote attacker execute unauthorized code or commands through crafted HTTP requests, and Fortinet’s advisory lists 7.4.4 as the affected release, with 7.4.5 or later as the fix.

What Is the Timeline Defenders Should Know?

Key dates that matter for patch urgency and incident review:

  • March 31, 2026: exploitation attempts reportedly observed against honeypots.
  • April 4, 2026: Fortinet published PSIRT advisory FG-IR-26-099.
  • April 5, 2026: broader public coverage highlighted the out-of-band hotfix and exploitation concerns.

If you run EMS 7.4.5 or 7.4.6, do two things in parallel: apply the hotfix and review recent logs and admin actions dating back at least to late March.

Strengthen External Threat Visibility With SOCRadar XTI

SOCRadar helps your organization track risk from both the threat and exposure side. With Cyber Threat Intelligence, teams can monitor emerging vulnerabilities, attacker activity, and exploit chatter that may raise the urgency of a flaw. With Attack Surface Management, you can identify internet-facing assets, spot exposed systems, and reduce unnecessary visibility before attackers abuse it. Used together, they help security teams move faster from detection to action.

SOCRadar Vulnerability Intelligence

SOCRadar Vulnerability Intelligence

What Should Defenders Do Now?

Prioritize hotfix installation for 7.4.5 and 7.4.6

Fortinet’s guidance is direct: if you are running FortiClient EMS 7.4.5 or 7.4.6, install the hotfix using Fortinet’s documented hotfix installation process. Fortinet indicates a permanent fix is expected in FortiClientEMS 7.4.7, but the hotfix is the immediate step intended to block exploitation.

Reduce exposure while you patch

Fortinet does not describe a separate workaround in the advisory content summarized here, so focus on exposure reduction you can enforce operationally:

  • Remove or restrict internet access to EMS management interfaces and APIs where possible.
  • Limit inbound access to known admin networks (VPN, jump hosts, allowlists) and enforce segmentation around EMS.
  • Confirm you are not unintentionally publishing EMS through reverse proxies or cloud security groups.

Treat suspicious behavior as a compromise lead, not just a scan

Even without published IOCs in the materials provided, you can still hunt for patterns consistent with an API auth bypass attempt:

  • Unusual spikes in API requests or atypical user-agent patterns targeting EMS
  • Requests that appear to hit administrative functions without a normal authentication flow
  • Unexpected configuration changes, new accounts, or altered access controls in EMS

Plan validation after patching

After applying the hotfix or upgrading when available, validate that:

  • The EMS instance is no longer externally reachable except through intended admin paths
  • Administrative accounts and roles match expected baselines
  • No unexplained scheduled tasks, integrations, or agent deployment changes occurred during the exposure window