Fortinet PoC sparks access‑bypass alerts

Fortinet admins have a new problem, and it is the kind defenders hate most — a bug that was already being exploited now has public proof-of-concept code floating around. The issue is CVE-2026-35616, an authentication-bypass flaw in FortiClient EMS, Fortinet’s endpoint management server. If an attacker can reach a vulnerable server, the barrier to testing and weaponizing the bug just got lower. Fortinet disclosed the issue on April 4, 2026, and CISA added it to the KEV catalog on April 6. ### What is FortiClient EMS? FortiClient EMS is the control plane for managed endpoints — the box admins use to push policy, manage clients, and control how devices connect back into the network. That means a compromise is not just “one server got popped.” It can become a way to reach a whole fleet of managed machines or to tamper with the rules that govern them. ### What is the new bug? (fortiguard.fortinet.com) CVE-2026-35616 is an improper access control flaw in FortiClient EMS 7.4.5 and 7.4.6. Fortinet says an unauthenticated attacker can execute unauthorized code or commands through crafted requests, and it has already seen the bug exploited in the wild. Hotfixes are available for 7.4.5 and 7.4.6, and version 7.4.7 includes the fix as well. Fortinet also says FortiClient Cloud and FortiSASE were remediated on its side, so customers there do not need to take action. (fortiguard.fortinet.com) ### How does the bypass work? The short version is ugly. Bishop Fox says the Django layer trusted certificate details from places it should not have trusted — including user-controllable HTTP headers — and Apache was not stripping those spoofable variants. So an attacker could basically impersonate the certificate-backed identity checks that were supposed to protect the API. That is why researchers describe it as a pre-auth bypass, not some niche post-login trick. (fortiguard.fortinet.com) ### Why are people alarmed now? Because public PoC code changes the tempo. A private exploit in the hands of a few actors is bad. A public script on GitHub means every scanner, red team, criminal crew, and opportunist gets a shortcut. Search results already show multiple public repositories and a non-destructive detection tool from Bishop Fox. That does not guarantee mass exploitation, but it usually compresses the time between disclosure and broad probing. That last point is an inference from how public exploit release tends to change attacker behavior. (bishopfox.com) ### Is this the same as the Fortinet bugs from January? No — and that is part of the confusion. January’s headline Fortinet issue was CVE-2026-24858, a FortiCloud SSO authentication bypass affecting multiple Fortinet products when FortiCloud SSO was enabled. CISA added that one to KEV on January 27, 2026. Separately, FortiClient EMS also had CVE-2026-21643, a critical SQL injection flaw in version 7.4.4 that was observed exploited in the wild and landed in KEV on April 13. (github.com) Different bugs, same vendor, same rough lesson: exposed management surfaces are getting hammered. ### What should defenders do first? Treat any internet-exposed FortiClient EMS server on 7.4.5 or 7.4.6 as urgent. Apply Fortinet’s hotfix or move to 7.4.7, and restrict access to management interfaces while you do it. Then look for signs that admin-level API access was abused — because with this class of bug, the danger is not just initial access but what an attacker can reconfigure afterward. CISA’s KEV listing means federal agencies had a remediation deadline of April 9, 2026, which tells you how seriously the risk is being treated. (cisa.gov) ### Bottom line The news is not just “another Fortinet CVE.” It is that an already exploited FortiClient EMS auth bypass now has public tradecraft around it. For defenders, that usually means the window for calm patch scheduling is over. (fortiguard.fortinet.com)