Authentication Bypass and RCE in Fortinet FortiClient EMS

This repository is a small standalone Python exploit for CVE-2026-35616 targeting a Fortinet API certificate-chain verification bypass. The repo contains three files: a README with usage guidance, one executable exploit script (exploit.py), and a requirements file. The exploit is not framework-based. Core capability: the script attempts to bypass client-certificate based access controls on Fortinet API endpoints by discovering acceptable CA/Common Names, generating a forged self-signed X.509 certificate with a candidate CN, and sending requests that spoof upstream TLS-authentication headers. It uses the headers X-SSL-CLIENT-VERIFY: SUCCESS and X-SSL-CLIENT-CERT containing a URL-encoded PEM certificate. If the target trusts these headers improperly, the script can access protected API routes. Operational flow: it builds a target base URL from command-line arguments (default 172.16.50.51:443), optionally enumerates acceptable client certificate CA names via openssl s_client, tests candidate CNs against /api/v1/system/capabilities, selects a working CN when HTTP/retval indicate success, then probes several additional API endpoints. It stores results in a JSON file under results/ and prints equivalent curl commands for manual verification. Notable targeted endpoints include /api/v1/system/capabilities, /api/v1/system/version, /api/v1/settings/server/public_address, /api/v1/fabric_device_auth/fortigate/init, and /api/v1/fortigate/info. The exploit is operational rather than a simple detector because it actively forges a certificate, performs authenticated bypass attempts, and retrieves protected API data. The payload is basic and hardcoded around header/certificate spoofing rather than a customizable post-exploitation framework.

This repository is a small standalone Python PoC for CVE-2026-35616 affecting Fortinet FortiClient EMS. It contains only two files: a README with usage/affected-version notes and one executable script, cve_2026_35616.py, which is the clear entry point. The script is not part of a larger exploit framework. The exploit targets a pre-authentication bypass in certificate-based authentication logic. Its core technique is to generate a self-signed X.509 certificate on the fly, URL-encode it, and send it in the X-SSL-CLIENT-CERT header while forcing X-SSL-CLIENT-VERIFY: SUCCESS. The script assumes the server-side component trusts these headers directly instead of validating the certificate cryptographically. Operational flow: (1) build the HTTPS base URL from target and port; (2) discover likely acceptable certificate common names (CNs) by invoking openssl s_client to inspect acceptable client CA names, by downloading certificates from /api/v1/ztna_certificates/download and parsing their CNs, and by reading a Serial Number response header from the target root page; (3) if discovery fails, fall back to hardcoded CN guesses (support, fortinet-ca2); (4) iterate through candidate CNs and attempt the bypass against /api/v1/system/capabilities; (5) once a working CN is found, probe several protected API endpoints with GET/POST/PATCH requests; and (6) print equivalent curl commands for manual reuse. Main exploit capabilities include unauthorized retrieval of system capabilities, version information, and public address settings, plus interaction with FortiGate-related API endpoints. The script is more than a detector because it actively performs the bypass and accesses protected resources, but it does not deploy a post-exploitation shell or arbitrary command payload. As written, it is an operational PoC for unauthorized API access against vulnerable FortiClient EMS instances.