April 28th, 2026

Fortinet FortiOS Authentication Bypass Actively Exploited (CVE-2026-35616)

Critical

Our Cyber Threat Intelligence Unit is monitoring an actively exploited critical vulnerability in Fortinet FortiClient EMS (Endpoint Management Server). Identified as CVE-2026-35616, this improper access control issue in the FortiClient EMS API allows unauthenticated attackers to bypass API authentication and authorization controls, allowing remote execution of unauthorized code or commands via crafted requests. Fortinet released out-of-band hotfixes on April 4, 2026, and has stated it observed exploitation of this vulnerability in the wild. Separately, CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog on April 6, 2026, with a remediation deadline of April 9, 2026, for Federal Civilian Executive Branch agencies. Organizations running FortiClient EMS versions 7.4.5 or 7.4.6 exposed to the internet should prioritize remediation immediately.

Technical Details

Threat Type: Improper Access Control / Pre-Authentication API Access Bypass
Severity: Critical
- CVE ID: CVE-2026-35616
- CVSS Score: 9.8
Affected Component: FortiClient EMS API
Affected Product and Versions:
- FortiClientEMS 7.4 — versions 7.4.5 through 7.4.6 are affected
- FortiClientEMS 7.2 — not affected
Exploit Status: Actively exploited in the wild; zero-day exploitation confirmed prior to patch availability

Attack Chain Overview:

Initial Access: An unauthenticated attacker sends crafted requests to the FortiClient EMS API from a remote network location. No credentials or prior authentication are required to initiate exploitation.
Exploitation: The improper access control implementation in the FortiClient EMS API fails to enforce authentication and authorization checks on targeted API endpoints. The attacker bypasses these controls through specially crafted requests.
Privilege Escalation: Successful exploitation allows the attacker to escalate privileges within the FortiClient EMS environment.
Code Execution: With elevated access, the attacker can execute unauthorized code or commands on the affected FortiClient EMS server.
Post-Exploitation: Depending on attacker objectives, post-exploitation activity may include deployment of additional payloads, manipulation of endpoint management configurations, or use of the compromised EMS server as a foothold for further lateral movement into managed endpoint environments.

Impact

Unauthenticated Remote Code Execution: Attackers can execute arbitrary code or commands on the FortiClient EMS server without requiring valid credentials.
Privilege Escalation: Exploitation grants elevated access within the EMS environment, allowing the attacker to further control endpoint management functions.
Endpoint Management Compromise: A compromised FortiClient EMS server may allow attackers to manipulate security policies, configurations, and endpoint deployments across all managed endpoints.
Lateral Movement Risk: An attacker's access to the EMS management plane can be leveraged to pivot into managed endpoint environments across the organization.
Exposure of Sensitive Data: Endpoint telemetry, device inventory, and configuration data held within the EMS platform may be accessible to an attacker following successful exploitation.

Detection Method

Security teams should monitor application, network, and endpoint telemetry for indicators consistent with exploitation activity targeting FortiClient EMS:

Monitor FortiClient EMS access and API logs for unusual or malformed request patterns, particularly requests originating from external or unexpected IP addresses.
Detect anomalous API activity, including requests to sensitive EMS endpoints that deviate from normal administrative usage patterns.
Review FortiClient EMS logs for unexpected privilege escalation events or configuration changes that cannot be attributed to known administrative activity.
Monitor for unexpected process execution or command activity on the FortiClient EMS server host.
Correlate SIEM alerts for authentication bypass patterns or spikes in unauthenticated API requests targeting the EMS platform.
Track the unexpected creation of administrative accounts or the modification of existing account permissions within FortiClient EMS.
Review network traffic for unusual outbound connections originating from the FortiClient EMS server following any suspicious API activity.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Apply the available hotfix immediately: Fortinet has released hotfixes for FortiClientEMS 7.4.5 and 7.4.6.
- Organizations should apply these hotfixes without delay, following the instructions provided in the Fortinet PSIRT advisory (FG-IR-26-099).
Upgrade to FortiClientEMS 7.4.7 when available, as this release includes the permanent fix for CVE-2026-35616.
Restrict network access to the FortiClient EMS server. Where operationally feasible, limit API and management interface exposure to trusted internal IP ranges.
- FortiClient EMS servers should not be directly accessible from the internet.
Review access and audit logs on the FortiClient EMS server for signs of unauthorized API access or configuration changes predating the hotfix deployment.
Enable robust logging and alerting on the EMS platform and forward logs to a SIEM for continuous monitoring.
Enforce network segmentation to limit the potential blast radius if the EMS server is or has been compromised.
Implement multi-factor authentication for all FortiClient EMS administrative accounts as a defense-in-depth measure.
Organizations subject to CISA KEV requirements should note that the April 9, 2026 remediation deadline has passed; any outstanding remediation should be treated as overdue.

Conclusion

The exploitation of CVE-2026-35616 highlights the ongoing risk of improper access control in enterprise endpoint management platforms. Because FortiClient EMS centrally manages endpoint security, a compromised server can affect all managed devices. Fortinet’s release of out-of-band hotfixes and CISA’s inclusion of this vulnerability in the Known Exploited Vulnerabilities catalog emphasize the need for immediate action. Organizations should promptly apply the hotfix, restrict external access to EMS infrastructure, and maintain continuous monitoring to detect and respond to exploitation attempts.

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-099

https://nvd.nist.gov/vuln/detail/CVE-2026-35616

https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html

https://securityaffairs.com/190392/hacking/cve-2026-35616-fortinet-fixes-actively-exploited-high-severity-flaw.html

https://www.cisa.gov/news-events/alerts/2026/04/06/cisa-adds-one-known-exploited-vulnerability-catalog