ThreatLevelBeta
Fix Soon

CVE-2026-35616

Unauthenticated API auth/authz bypass → RCE in FortiClient EMS (pre-auth)
Loading...

Summary

FortiClient EMS 7.4.5–7.4.6 contain an improper access control flaw in the API authentication/authorization layer that lets unauthenticated attackers send crafted HTTPS requests to EMS administrative functions. Successful exploitation can bypass access checks and trigger unauthorized commands or code execution on the EMS server. Fortinet says the issue is being exploited in the wild and provides a hotfix plus a fixed 7.4.7 release.

Why Fix Soon?

6/6
No authentication required
Mixed internet / internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
Authentication Bypass
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
No
Impact

Execute arbitrary code or commands on the FortiClient EMS server, potentially leading to full compromise of the EMS and downstream managed endpoints.

RCE (Remote Code Execution)
Exploitation Requirements
  • Network access to the EMS web/API on HTTPS/443
  • FortiClient EMS 7.4.5 or 7.4.6
  • no credentials required.
Exploitation Process

An unauthenticated attacker connects to the FortiClient EMS HTTPS web/API interface and sends crafted requests that bypass the API's authentication and authorization checks. The attacker then invokes administrative functionality or other privileged server-side actions that EMS processes as trusted, which can result in command or code execution on the EMS host. Success is typically confirmed by unexpected administrative state changes, server-side process execution, or attacker-controlled output/behavior on the EMS system.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Fortinet
ProductAffected Versions
FortiClient EMS7.4.5 through 7.4.6
Description

Centralized endpoint management server for FortiClient agents, used to deploy configurations, policies, telemetry, and software updates across enterprise endpoints.

Deployment:Mixed (internet/internal)
|
Protocol:HTTPS
|
Ports:443
Affected ComponentFortiClient EMS web/API authentication and authorization layer handling administrative requests.

FortiClient EMS web/API authentication and authorization layer handling administrative requests.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Restrict EMS web/API access to trusted IP ranges or VPN users and block public exposure of TCP/443; Fortinet documentation notes EMS web access uses 443 and recommends blocking other ports or service requests to the EMS IP/FQDN.

Restrict EMS web/API access to trusted IP ranges or VPN users and block public exposure of TCP/443; Fortinet documentation notes EMS web access uses 443 and recommends blocking other ports or service requests to the EMS IP/FQDN.

docs.fortinet.com
Patch
Apply Fortinet's EMS hotfix package on FortiClient EMS 7.4.5 or 7.4.6 using the vendor's hotfix installation instructions.

Apply Fortinet's EMS hotfix package on FortiClient EMS 7.4.5 or 7.4.6 using the vendor's hotfix installation instructions.

docs.fortinet.com
Update
Upgrade FortiClient EMS to 7.4.7 or later; Fortinet says the 7.4.5 and 7.4.6 hotfixes also fully prevent the issue.

Upgrade FortiClient EMS to 7.4.7 or later; Fortinet says the 7.4.5 and 7.4.6 hotfixes also fully prevent the issue.

fortiguard.fortinet.com
Threat Intelligence
EPSS Score0.0%

Probability of exploitation in the next 30 days

EPSS Percentile10%

Worse than 10% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
Active
fortiguard.fortinet.com
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

CVSS Base Score

9.8
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-284 Improper Access Control
|
NVD:CVE-2026-35616
|
Version From:
|
Version Upto:

Sources

4
SourceArticle
fortiguard.fortinet.comFG-IR-26-099 API authentication and authorization bypass
docs.fortinet.comFortiClient EMS Introduction
docs.fortinet.comRequired services and ports
tenable.comCVE-2026-35616

Priority History

Fix SoonLoading...

Initial analysis