CVE-2026-35616 & CVE-2026-21643: FortiClient EMS Vulnerabilities Exploited in the Wild

Published Date: April 6, 2026
Category: ShadowOpsIntel
Share:

Two severe vulnerabilities affecting Fortinet FortiClient Enterprise Management Server (EMS) are actively exploited in the wild, enabling unauthenticated remote code execution. Threat intelligence firm Defused reported seeing zero-day exploitation of these flaws before official patches or public disclosures were fully established. Widespread internet exposure (~2,000 instances) significantly increases exploitation risk across enterprises globally.

Severity: Critical

Vulnerability Details

1. CVE-2026-35616: Pre-Authentication API Access Bypass

  • CVSS Score: 9.1
  • Impact: Allows an unauthenticated attacker to bypass API authentication and authorization entirely, enabling unauthorized code or command execution via crafted requests.
  • Root Cause: Improper access control [CWE-284] within the API component.
  • Affected Versions: FortiClient EMS 7.4.5 and 7.4.6.
  • Exploitation Status: Confirmed as exploited in the wild as a zero-day.

2. . CVE-2026-21643: SQL Injection in Administrative Interface

  • CVSS Score: 9.1
  • Impact: Allows unauthenticated attackers to execute unauthorized code or commands.
  • Root Cause: Improper neutralization of special elements in an SQL Command (‘SQL Injection’) [CWE-89].
  • Attack Vector: Attackers can “smuggle” SQL statements through the “Site” HTTP header in a request to the /api/v1/init_consts endpoint.
  • Affected Versions: FortiClient EMS version 7.4.4.
  • Exploitation Status: Observed exploited in the wild; initial exploitation was recorded at least four days prior to public warnings in late March 2026.

Threat Landscape And Exposure

  • Public Exposure: Approximately 2,000 FortiClient EMS instances are exposed globally.
  • Geographic Focus: The most heavily affected regions with exposed instances are the United States and Germany.
  • Historical Context: These vulnerabilities follow a pattern of Fortinet flaws being targeted by advanced actors, including ransomware groups and state-sponsored hackers like Salt Typhoon.

Recommendations

  1. For CVE-2026-35616, immediately apply the emergency hotfix from Fortinet for EMS versions 7.4.5 and 7.4.6. Upgrade to the upcoming version 7.4.7 or higher once released.
  2. For CVE-2026-21643, upgrade FortiClient EMS 7.4.4 to version 7.4.5 or higher immediately. Note: This vulnerability specifically affects multi-tenant deployments.
  3. Limit HTTPS access to the FortiClient EMS administrative web interface (GUI) to authorized management networks only (e.g., via a management VLAN or trusted IP range).
  4. Ensure EMS instances are not directly accessible from the public internet. If remote access is required, it should only be granted via a secure VPN or Zero Trust Network Access (ZTNA) gateway.
  5. Monitor logs for unusual GET or POST requests to the /api/v1/init_consts and /api/v1/auth/signin endpoints. Audit logs for HTTP 500 errors on these endpoints, which may indicate failed or successful error-based SQL injection attempts.

Source:

  • https://fortiguard.fortinet.com/psirt/FG-IR-26-099
  • https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
  • https://x.com/defusedcyber/status/2037912573274636781
  • https://x.com/defusedcyber/status/2037912573274636781
  • https://x.com/defusedcyber/status/2037912573274636781

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert