TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Bishop Fox

API Authentication Bypass in FortiClient EMS 7.4.5-7.4.6–CVE-2026-35616

2026-04-07 · Read original ↗

ATT&CK techniques detected

4 predictions
T1190Exploit Public-Facing Application
84%
". impact assessment a successful exploit grants an unauthenticated attacker authenticated api access with certificate - user role privileges across 16 cert _ chain _ approved endpoint definitions spanning 15 controllers. our analysis of 88 controller bytecode files identified the…"
T1190Exploit Public-Facing Application
69%
"##erabilities in certchainauth. contains _ certificate ( ) and certificate. validate _ cert _ chain ( ) remain until version 7. 4. 7 ships. our affected cosmos customers were notified of this vulnerability shortly after the vendor disclosure, and we continue to monitor for new th…"
T1190Exploit Public-Facing Application
66%
"it reaches django, so both requests return an identical http 401. no certificate data is sent and no authentication is attempted. remediation patching apply the fortinet - provided hotfix immediately. the hotfix adds apache requestheader unset directives that strip spoof - able h…"
T1190Exploit Public-Facing Application
53%
"##th _ middleware. pyc. our byte - for - byte comparison of the hotfix against the original 7. 4. 5 auth _ middleware. pyc confirms that check _ request _ authorization ( ), the core authentication dispatch function, is completely unchanged. the hotfix makes exactly two modificat…"

Summary

Bishop Fox researchers expanded on Fortinet's disclosure of CVE-2026-35616 by identifying the root cause via the released hotfix.