Fortinet FortiClient EMS zero-day/old bugs auth bypass/SQLi RCE exploited wild (CVE-2026-35616 + CVE-2023-48788 + CVE-2026-21643)
Key Questions
What is CVE-2026-35616 in Fortinet FortiClient EMS?
CVE-2026-35616 is a CVSS 9.1 improper access control vulnerability allowing authentication bypass and RCE. It has been exploited as a zero-day on approximately 2,000 servers in the US and Germany, with PoCs publicly available and details from CyCognito.
Is CVE-2026-35616 actively exploited?
Yes, it is actively exploited in the wild, listed in CISA KEV, prompting Fortinet to release an emergency hotfix for versions 7.4.5, 7.4.6, and 7.4.7. Organizations should urgently inventory and patch affected systems.
What is CVE-2023-48788 and its impact?
CVE-2023-48788 is a CVSS 9.8 SQL injection vulnerability in FortiClient EMS leading to RCE. Active exploits target thousands of exposed instances, with IoCs including 500 errors on /api/v1/init_consts.
What actions are recommended for Fortinet FortiClient EMS users?
Users should perform urgent inventory checks, apply patches, conduct threat hunts, and rotate credentials. Monitor for exploitation amid a wave of console attacks.
Where can more details on these Fortinet vulnerabilities be found?
Details are available in CyCognito's blog on CVE-2026-35616, Fortinet's emergency patch announcement, watchTowr's zero-day report, and coverage of the two-year-old bug still under attack.
CVSS9.1 CVE-2026-35616 auth bypass RCE exploited zero-day on ~2k US/Germany servers (CISA KEV, PoC public, emergency hotfix 7.4.5/6/7); CVE-2023-48788 SQLi RCE (CVSS9.8) active exploits thousands exposed, IoCs /api/v1/init_consts 500s. Urgent inventory, patching, hunts, cred rotation amid console wave.