CVE-2026-35616 & CVE-2026-21643: FortiClient EMS Vulnerabilities Exploited in the Wild

Published Date: April 6, 2026
Category: ShadowOpsIntel
Share:

Two severe vulnerabilities affecting Fortinet FortiClient Enterprise Management Server (EMS) are actively exploited in the wild, enabling unauthenticated remote code execution. Threat intelligence firm Defused reported seeing zero-day exploitation of these flaws before official patches or public disclosures were fully established. Widespread internet exposure (~2,000 instances) significantly increases exploitation risk across enterprises globally.

Severity: Critical

Vulnerability Details

1. CVE-2026-35616: Pre-Authentication API Access Bypass

  • CVSS Score: 9.1
  • Impact: Allows an unauthenticated attacker to bypass API authentication and authorization entirely, enabling unauthorized code or command execution via crafted requests.
  • Root Cause: Improper access control [CWE-284] within the API component.
  • Affected Versions: FortiClient EMS 7.4.5 and 7.4.6.
  • Exploitation Status: Confirmed as exploited in the wild as a zero-day.

2. . CVE-2026-21643: SQL Injection in Administrative Interface

  • CVSS Score: 9.1
  • Impact: Allows unauthenticated attackers to execute unauthorized code or commands.
  • Root Cause: Improper neutralization of special elements in an SQL Command (‘SQL Injection’) [CWE-89].
  • Attack Vector: Attackers can “smuggle” SQL statements through the “Site” HTTP header in a request to the /api/v1/init_consts endpoint.
  • Affected Versions: FortiClient EMS version 7.4.4.
  • Exploitation Status: Observed exploited in the wild; initial exploitation was recorded at least four days prior to public warnings in late March 2026.

Threat Landscape And Exposure

  • Public Exposure: Approximately 2,000 FortiClient EMS instances are exposed globally.
  • Geographic Focus: The most heavily affected regions with exposed instances are the United States and Germany.
  • Historical Context: These vulnerabilities follow a pattern of Fortinet flaws being targeted by advanced actors, including ransomware groups and state-sponsored hackers like Salt Typhoon.

Recommendations

  1. For CVE-2026-35616, immediately apply the emergency hotfix from Fortinet for EMS versions 7.4.5 and 7.4.6. Upgrade to the upcoming version 7.4.7 or higher once released.
  2. For CVE-2026-21643, upgrade FortiClient EMS 7.4.4 to version 7.4.5 or higher immediately. Note: This vulnerability specifically affects multi-tenant deployments.
  3. Limit HTTPS access to the FortiClient EMS administrative web interface (GUI) to authorized management networks only (e.g., via a management VLAN or trusted IP range).
  4. Ensure EMS instances are not directly accessible from the public internet. If remote access is required, it should only be granted via a secure VPN or Zero Trust Network Access (ZTNA) gateway.
  5. Monitor logs for unusual GET or POST requests to the /api/v1/init_consts and /api/v1/auth/signin endpoints. Audit logs for HTTP 500 errors on these endpoints, which may indicate failed or successful error-based SQL injection attempts.

Source:

  • https://fortiguard.fortinet.com/psirt/FG-IR-26-099
  • https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
  • https://x.com/defusedcyber/status/2037912573274636781
  • https://x.com/defusedcyber/status/2037912573274636781
  • https://x.com/defusedcyber/status/2037912573274636781

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

×

7th August 2026

New Delhi, India

Know more
Talk to an expert