CVE-2026-35616 · A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may

01 · The Real Story

This is the master key cabinet on the loading dock, not a hard-to-reach server bug

CVE-2026-35616 is an improper access control flaw in Fortinet FortiClient EMS affecting 7.4.5 through 7.4.6. In practice, it is a pre-auth API access bypass on the EMS management plane: a remote attacker who can reach the HTTPS interface can send crafted requests and obtain privileged API behavior that Fortinet says can lead to unauthorized code or command execution on the EMS server. Fixed paths are 7.4.7+ or the emergency hotfixes 7.4.5.2111.1277073 and 7.4.6.2170.1277073.

The vendor's *critical* call matches reality. Yes, the affected version slice is narrow, and many EMS deployments should be management-only, but the decisive amplifiers swamp that friction: no auth required, active exploitation confirmed, KEV-listed, trivial network reachability when exposed, and the target is a control plane for endpoint policy and software distribution. A compromise here is not just one Windows server; it is a launchpad into every managed endpoint the server can touch.

"KEV-listed pre-auth takeover of a central endpoint manager with thousands of exposed hosts stays firmly critical."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an exposed EMS listener

The attacker uses commodity internet scanning or asset-search tooling such as Censys or a simple curl/nmap sweep to locate FortiClient EMS on TCP/443. Censys published fingerprints for the product and observed roughly 10,000 exposed EMS hosts, with 3,835 potentially vulnerable by banner.

Conditions required:

Target EMS is reachable over HTTPS from the attacker position
Instance is FortiClient EMS 7.4.5 or 7.4.6 or an unpatched hotfix-equivalent build

Where this breaks in practice:

Many mature enterprises keep EMS on internal management networks or behind VPN
Banner-based exposure counts overestimate true exploitability because some hosts are already hotfixed

Detection/coverage: External attack-surface tools and ASM products should find this easily; runZero and Censys both published product fingerprints and hunt queries.

STEP 02

Bypass certificate-based API auth

Per Bishop Fox analysis, the vulnerable trust boundary lets the Django application accept user-controlled HTTP headers as if they were trusted certificate-auth context. A crafted request can therefore cross the auth gate without valid credentials, turning a normal HTTP client into the weaponized tool.

Conditions required:

HTTPS access to the EMS web/API interface
Target still trusts spoofable X-SSL-CLIENT-* style headers or equivalent unstripped auth context

Where this breaks in practice:

A reverse proxy, WAF, or the Fortinet hotfix that strips spoofable headers breaks this path
Private-only exposure means the attacker usually needs prior foothold or VPN access

Detection/coverage: Behavioral detection is possible: Bishop Fox documented a non-destructive differential test where spoofed headers change server responses on vulnerable systems.

STEP 03

Abuse privileged API endpoints

Once across the auth boundary, the attacker can hit endpoints intended for device, FortiGate, ZTNA, and administration workflows. Bishop Fox's reverse engineering describes a large attack surface including server settings, certificate material, token/JWT-related state, software inventory, and endpoint management functions.

Conditions required:

Successful pre-auth bypass
Relevant privileged API routes exposed on the EMS instance

Where this breaks in practice:

Blast radius depends on what EMS is actually integrated with: some shops use only a subset of features
Application logging may capture unusual API use if anyone is watching it

Detection/coverage: Look for API calls from new source IPs, missing normal session/JWT context, and unusual administrative actions immediately following 401/auth-related errors.

STEP 04

Turn server compromise into fleet impact

The attacker can pivot from the EMS control plane to enterprise impact by pushing policy, software, or command changes through normal management channels, or by harvesting sensitive integration material. This is where a single pre-auth bug becomes an environment-wide problem: the product is designed to orchestrate endpoints at scale.

Conditions required:

EMS has managed endpoints and/or security integrations enrolled
Attacker retains API control long enough to stage actions

Where this breaks in practice:

Change control, agent enrollment state, or segmentation can limit how many endpoints actually receive attacker actions
EDR on the EMS host or managed endpoints may catch follow-on payloads even if the auth bypass itself succeeds

Detection/coverage: EDR should light up on post-exploitation from the EMS server; watch for mass policy changes, unexpected package deployments, certificate exports, and outbound connections from the EMS host.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	Yes. Fortinet said exploitation was observed in the wild; CISA ADP marks exploitation as active in the CVE record.
KEV status	KEV-listed on 2026-04-06 with a federal due date of 2026-04-09.
EPSS	0.4117 from your intel block; secondary tracking shows this sits roughly in the 97th-98th percentile range after disclosure.
PoC / exploit availability	Public exploit logic is effectively available. Bishop Fox published root-cause analysis and a non-destructive scanner; GitHub repo `keraattin/CVE-2026-35616` publishes Python/Nmap detection tooling. That is close enough to commoditization for defenders.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` — the classic internet-reachable, no-auth, no-click, full-impact shape.
Affected versions	FortiClient EMS 7.4.5 through 7.4.6.
Fixed versions	Primary fix is 7.4.7+. Fortinet also released out-of-band hotfixes 7.4.5.2111.1277073 and 7.4.6.2170.1277073.
Exposure data	Censys observed around 10K exposed FortiClient EMS hosts and 3,835 potentially vulnerable by banner at disclosure time.
Disclosure timeline	CVE published 2026-04-04; KEV added 2026-04-06; FortiClient EMS 7.4.7 release notes show the CVE fixed in build 2193.M and later 2194.M re-release.
Research / technical root cause	Independent reverse engineering from Bishop Fox says the auth bypass comes from trusting spoofable certificate-auth headers at the application layer; their write-up materially increases defender confidence that exploitation is straightforward when the interface is reachable.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to CRITICAL (9.8/10)

The decisive factor is active exploitation of an unauthenticated network bug on a management plane that directly controls endpoints. The only meaningful downward pressure is exposure population: many EMS servers are not internet-facing, but for the ones that are, this is immediate control-plane compromise with outsized fleet blast radius.

HIGH Severity bucket and urgency

HIGH Active exploitation / KEV status

MEDIUM Precise exploit mechanics across all deployed topologies

Why this verdict

KEV + active exploitation erase debate. This is not a hypothetical 9.x that might never be weaponized; CISA and Fortinet both say attackers are already using it.
Pre-auth network path keeps friction low. No credentials, no user action, and no prior endpoint compromise are required when EMS is reachable over HTTPS.
Control-plane blast radius is the amplifier. EMS is built to manage, configure, and push changes to large endpoint populations, so compromise of one server can become many downstream impacts.
Real-world friction exists but is not decisive. Requiring exposure to the EMS interface narrows population, and some enterprises keep it internal or VPN-only, but Censys still saw thousands of potentially vulnerable internet-facing systems.

Why not higher?

There is no higher bucket than CRITICAL here, but the score does not need to be artificially pushed beyond the ceiling. The main moderating factor is that only 7.4.5-7.4.6 are affected, and not every enterprise exposes EMS to the internet. Internal-only deployments meaningfully reduce reachability, though not the danger after initial access.

Why not lower?

Dropping this to HIGH would ignore the two facts that matter most: active exploitation and unauthenticated compromise of a fleet management server. Even with a narrow affected range, the attack path is short and the consequences extend well beyond the single host, which is exactly what the CRITICAL bucket is for.

05 · Compensating Control

What to do — in priority order.

Restrict EMS HTTPS immediately — Put the EMS web/API interface behind VPN, allowlisted admin ranges, or a management jump path immediately, within hours because this CVE is KEV-listed and actively exploited. If the server is internet-reachable today, assume it is in the attacker search space already.
Strip spoofable auth headers upstream — On any reverse proxy, WAF, or HTTP tier in front of EMS, explicitly drop inbound X-SSL-CLIENT-* style headers and any equivalent client-cert context headers immediately, within hours. This mirrors the hotfix strategy described by independent analysis and can break the pre-auth path before full remediation lands.
Hunt EMS logs and EDR for post-auth anomalies — Review EMS host telemetry, IIS/Apache-equivalent access logs, and application logs for unusual API calls, new source IPs, auth-bypass-like 401/500 sequences, and mass management actions immediately, within hours. On a CRITICAL KEV item, validation of exposure without compromise is not enough; you need an intrusion check.
Segment EMS from broad east-west access — Limit outbound/admin paths from the EMS host to only required infrastructure and enrolled endpoints within 3 days if immediate isolation is impossible. This reduces blast radius if the attacker already obtained control-plane access.

What doesn't work

MFA for administrators does not stop a pre-auth API bypass that sidesteps the normal login path entirely.
Password rotation alone does not help because the attacker does not need valid credentials to reach privileged functionality.
Endpoint AV only on managed clients is too late in the chain; the dangerous asset is the EMS control plane, not just the downstream endpoints.

06 · Verification

Crowdsourced verification payload.

Run this on the FortiClient EMS server itself in an elevated PowerShell session. Example: powershell -ExecutionPolicy Bypass -File .\check-forticlientems-cve-2026-35616.ps1. Local administrator is recommended so the script can read both 64-bit and Wow6432Node uninstall data reliably.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-forticlientems-cve-2026-35616.ps1

# Purpose: Determine likely exposure to CVE-2026-35616 on a Windows FortiClient EMS host

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Get-UninstallEntries {
    $paths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    $items = foreach ($p in $paths) {
        Get-ItemProperty -Path $p -ErrorAction SilentlyContinue |
            Where-Object {
                ($_.DisplayName -match 'FortiClient\s*EMS') -or
                ($_.Publisher -match 'Fortinet') -and ($_.DisplayName -match 'EMS')
            } |
            Select-Object DisplayName, DisplayVersion, Publisher, InstallLocation, PSPath
    }

    $items | Sort-Object DisplayName -Unique
}

function Parse-Version([string]$v) {
    if ([string]::IsNullOrWhiteSpace($v)) { return $null }
    $clean = ($v -replace '[^0-9\.]','').Trim('.')
    if ([string]::IsNullOrWhiteSpace($clean)) { return $null }
    $parts = $clean.Split('.') | Where-Object { $_ -ne '' }
    $ints = @()
    foreach ($p in $parts) {
        try { $ints += [int]$p } catch { $ints += 0 }
    }
    return ,$ints
}

function Compare-VersionArrays($a, $b) {
    # returns -1 if a<b, 0 if equal, 1 if a>b

    $len = [Math]::Max($a.Count, $b.Count)
    for ($i = 0; $i -lt $len; $i++) {
        $av = if ($i -lt $a.Count) { [int]$a[$i] } else { 0 }
        $bv = if ($i -lt $b.Count) { [int]$b[$i] } else { 0 }
        if ($av -lt $bv) { return -1 }
        if ($av -gt $bv) { return 1 }
    }
    return 0
}

function Version-StartsWith($arr, $prefix) {
    if ($arr.Count -lt $prefix.Count) { return $false }
    for ($i = 0; $i -lt $prefix.Count; $i++) {
        if ([int]$arr[$i] -ne [int]$prefix[$i]) { return $false }
    }
    return $true
}

$entries = Get-UninstallEntries
if (-not $entries -or $entries.Count -eq 0) {
    Write-Output 'UNKNOWN: No FortiClient EMS uninstall entry found in standard registry locations.'
    exit 2
}

# Prefer the entry with a version value

$entry = $entries | Where-Object { $_.DisplayVersion } | Select-Object -First 1
if (-not $entry) { $entry = $entries | Select-Object -First 1 }

$rawVersion = $entry.DisplayVersion
$ver = Parse-Version $rawVersion

if (-not $ver) {
    Write-Output ('UNKNOWN: Found {0} but could not parse DisplayVersion "{1}".' -f $entry.DisplayName, $rawVersion)
    exit 2
}

# Known fixed milestones from Fortinet docs:

# 7.4.5.2111.1277073  (GA hotfix 1)

# 7.4.6.2170.1277073  (GA hotfix 1)

# 7.4.7+              (general fixed release)

$prefix745 = @(7,4,5)
$prefix746 = @(7,4,6)
$prefix747 = @(7,4,7)
$fix745    = @(7,4,5,2111)
$fix746    = @(7,4,6,2170)

$status = $null
$reason = $null

if (Version-StartsWith $ver $prefix745) {
    if ((Compare-VersionArrays $ver $fix745) -ge 0) {
        $status = 'PATCHED'
        $reason = '7.4.5 with hotfix build >= 2111 detected.'
    } else {
        $status = 'VULNERABLE'
        $reason = '7.4.5 detected without GA hotfix 1 build threshold.'
    }
}
elseif (Version-StartsWith $ver $prefix746) {
    if ((Compare-VersionArrays $ver $fix746) -ge 0) {
        $status = 'PATCHED'
        $reason = '7.4.6 with hotfix build >= 2170 detected.'
    } else {
        $status = 'VULNERABLE'
        $reason = '7.4.6 detected without GA hotfix 1 build threshold.'
    }
}
elseif ((Compare-VersionArrays $ver $prefix747) -ge 0) {
    $status = 'PATCHED'
    $reason = 'Version is 7.4.7 or later.'
}
else {
    $status = 'UNKNOWN'
    $reason = 'Installed version is outside the directly documented affected range in this check.'
}

Write-Output ('Product      : {0}' -f $entry.DisplayName)
Write-Output ('Version      : {0}' -f $rawVersion)
Write-Output ('Install Path : {0}' -f $entry.InstallLocation)
Write-Output ('Result       : {0}' -f $status)
Write-Output ('Reason       : {0}' -f $reason)

switch ($status) {
    'PATCHED'    { exit 0 }
    'VULNERABLE' { exit 1 }
    default      { exit 2 }
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning plan: treat every internet-reachable FortiClient EMS as an incident-priority asset. Because this CVE is KEV-listed and actively exploited, override the normal timeline and patch / mitigate immediately, within hours; that is your practical noisgate mitigation SLA here. Concretely, pull EMS off the public internet or strictly allowlist it, deploy the Fortinet hotfix or move to 7.4.7+, and perform compromise review on the EMS host before returning it to normal operations. For governance purposes the noisgate remediation SLA for a CRITICAL issue is ≤90 days, but for this one that is the outer bound, not the schedule you should follow.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.