Fortinet FortiClient EMS Pre-Auth Bypass — "FortiBleed" (CVE-2026-35616)
by Fortinet (advisory); Alaatk (PoC) · 2026-07-03
- Severity
- Critical
- CVE
- CVE-2026-35616
- Category
- network
- Affected product
- Fortinet FortiClient Endpoint Management Server (EMS)
- Affected versions
- 7.4.5, 7.4.6
- Disclosed
- 2026-07-03
- Patch status
- unpatched
Tags
References
- https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html
- https://thehackernews.com/2026/07/fortibleed-credential-theft-linked-to.html
- https://www.bleepingcomputer.com/news/security/fortibleed-credential-theft-campaign-linked-to-lynx-ransomware/
- https://github.com/Alaatk/CVE-2026-35616
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-07-03 |
| Last Updated | 2026-04 |
| Author / Researcher | Fortinet (advisory); Alaatk (PoC) |
| CVE / Advisory | CVE-2026-35616 |
| Category | network |
| Severity | Critical |
| CVSS Score | 9.1 (CVSSv3) |
| Status | Weaponized |
| Tags | authentication-bypass, header-spoofing, Fortinet, FortiClient-EMS, FortiBleed, credential-theft, CISA-KEV, active-exploitation, ransomware |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Fortinet FortiClient Endpoint Management Server (EMS) |
| Versions Affected | 7.4.5, 7.4.6 |
| Language / Platform | Python (PoC) targeting FortiClient EMS’s Fabric/FortiGate device-auth API |
| Authentication Required | No |
| Network Access Required | Yes (HTTPS to FortiClient EMS management API) |
Summary
CVE-2026-35616 is a pre-authentication bypass in Fortinet FortiClient EMS’s certificate-chain authentication handler (cert_chain_auth.py), which trusts the X-SSL-CLIENT-VERIFY header directly without performing real cryptographic validation of the presented client certificate. By forging a self-signed certificate whose Common Name matches a CA name accepted by the TLS client-certificate prompt (enumerable via openssl s_client) and supplying the spoofed verification header, an unauthenticated attacker can reach protected Fabric/FortiGate device-management API endpoints as a trusted device. This bug is the technical root cause of the “FortiBleed” mass credential-theft campaign, in which attackers harvest browser/EMS credentials at scale (430,000+ FortiGate firewalls reportedly affected) and the resulting access has since been linked to INC Ransom and Lynx ransomware affiliates for follow-on extortion.
Vulnerability Details
Root Cause
cert_chain_auth.py authorizes a request as coming from a verified Fabric device based solely on the client-supplied X-SSL-CLIENT-VERIFY header and a certificate Common Name, without validating the certificate’s cryptographic chain of trust against a real CA — allowing a self-signed, attacker-forged certificate to satisfy the check.
Attack Vector
- Enumerate acceptable client-certificate CA names from the target’s TLS handshake via
openssl s_client -connect <target>:<port>. - Forge a self-signed X.509 certificate whose CN matches one of the accepted CA names (
forge_cert()). - Send requests to protected endpoints (
/api/v1/system/capabilities,/api/v1/system/version,/api/v1/settings/server/public_address,/api/v1/fabric_device_auth/fortigate/init,/api/v1/fortigate/info) with the spoofedX-SSL-CLIENT-VERIFYheader and forged CN, bypassing authentication as a trusted Fabric/FortiGate device. - Use the resulting access to enumerate device info and pivot toward credential/config harvesting (the basis of the broader FortiBleed campaign).
Impact
Unauthenticated access to protected FortiClient EMS Fabric-device management endpoints, enabling credential harvesting at scale and downstream ransomware deployment by affiliated threat actors.
Environment / Lab Setup
Target: FortiClient EMS 7.4.5 - 7.4.6
Attacker: Python 3 + requests, cryptography, urllib3; openssl in PATH
Proof of Concept
PoC Script
See
cve_2026_35616.pyin this folder.
| |
Enumerates accepted client-certificate CA names via openssl s_client, forges a matching self-signed certificate, and replays the forged X-SSL-CLIENT-VERIFY header against a set of protected Fabric/FortiGate device-auth API endpoints to demonstrate the authentication bypass.
Detection & Indicators of Compromise
Signs of compromise:
- Fabric/FortiGate device-auth API calls from unexpected source IPs with no matching legitimate device enrollment
- Unusual
openssl s_clientconnection patterns immediately preceding API access - Downstream indicators of the FortiBleed campaign: EKZ Stealer artifacts, unexpected credential exfiltration, ransomware precursor activity (INC Ransom / Lynx TTPs)
Remediation
| Action | Detail |
|---|---|
| Primary fix | Upgrade FortiClient EMS to 7.4.7 or later |
| Interim mitigation | Restrict management-plane access to FortiClient EMS to trusted administrative networks only |
| Cleanup | If FortiBleed exposure is suspected, rotate all credentials accessible via EMS-managed endpoints and hunt for INC Ransom / Lynx ransomware precursor activity |
References
- Fortinet Patches Actively Exploited CVE-2026-35616
- FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
- FortiBleed credential-theft campaign linked to Lynx ransomware (BleepingComputer)
- Source repository (Alaatk)
Notes
Mirrored from https://github.com/Alaatk/CVE-2026-35616 on 2026-07-03. 35 stars / 10 forks at time of mirroring; author’s repo includes a PoC screenshot corroborating the bypass against a lab target.
| |