Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure FortiClient Enterprise Management Server (EMS) instances against an actively exploited vulnerability by Friday. [...]
Analysis Summary
# Vulnerability: FortiClient EMS Pre-Authentication API Access Bypass
## CVE Details
- **CVE ID:** CVE-2026-35616
- **CVSS Score:** 9.8 (Critical - Estimated based on pre-auth RCE nature)
- **CWE:** CWE-284: Improper Access Control / CWE-288: Authentication Bypass Using an Alternate Path
## Affected Systems
- **Products:** Fortinet FortiClient Enterprise Management Server (EMS)
- **Versions:**
- 7.4.5
- 7.4.6
- **Configurations:** Systems with the API interface exposed to the network (Internet-facing instances are at highest risk).
## Vulnerability Description
CVE-2026-35616 is a pre-authentication API access bypass flaw. The vulnerability stems from improper access control within the EMS API components. An unauthenticated remote attacker can send specially crafted requests to the server to bypass existing authentication and authorization controls. This bypass grants the attacker the ability to execute arbitrary code or system commands with administrative privileges on the underlying server.
## Exploitation
- **Status:** Exploited in the wild (Zero-day attacks observed)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Total access to system data and managed endpoint metadata)
- **Integrity:** High (Ability to execute unauthorized commands and modify system configurations)
- **Availability:** High (Potential for complete system takeover or service disruption)
## Remediation
### Patches
Fortinet has released emergency hotfixes for the current affected versions. Users should upgrade to:
- **FortiClient EMS 7.4.5:** Apply version-specific emergency hotfix.
- **FortiClient EMS 7.4.6:** Apply version-specific emergency hotfix.
- **FortiClient EMS 7.4.7:** Full patched version (pending/upcoming release).
### Workarounds
- **Network Segmentation:** Ensure FortiClient EMS instances are not exposed to the public internet unless absolutely necessary.
- **Access Control Lists (ACLs):** Restrict access to the EMS management interface and API to trusted administrative IP addresses only.
- **Discontinuation:** CISA recommends discontinuing use of the product if patches cannot be applied immediately.
## Detection
- **Indicators of Compromise:** Monitor web server logs for unusual or malformed requests to API endpoints, particularly those originating from unexpected geographical locations or unauthorized IPs.
- **Tools:** Shadowserver tracks exposed instances; administrators should check their external footprint via `dashboard.shadowserver.org`.
- **CISA KEV:** This vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog.
## References
- **Fortinet Advisory:** hXXps[://]www[.]bleepingcomputer[.]com/news/security/new-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks/
- **CISA KEV Catalog:** hXXps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Shadowserver Statistics:** hXXps[://]dashboard[.]shadowserver[.]org/statistics/iot-devices/time-series/?vendor=fortinet&model=forticlient+enterprise+management+server+%28ems%29