HOMEVULNERABILITIESCVE-2026-3561
HIGH

CVE-2026-3561

CWE-122Published: March 16, 2026· Updated: Mar 16, 2026

8.0
CVSS v3.1
EPSS:0.11%probability of exploitation in 30 daysPercentile:28.6th

Official Description

Philips Hue Bridge hk_hap characteristics Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the handling of PUT requests to the characteristics endpoint. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28479.

NVD Source

Technical Analysis

CVE-2026-3561 requires adjacent network access, limiting remote exploitation but still posing risk in shared or local network environments.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.0.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorAdjacent
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2026-3561

Hackers exploit FortiClient EMS flaw to push infostealer malware
BleepingComputer· May 28, 2026

Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. [...] [xlite_meta score:64 src:BleepingComputer xlite_fp:db604348df3dae30344e2a497a4c5a606a06b8721c783e61eebef83aab21402e]

CISA Adds One Known Exploited Vulnerability to Catalog
CISA Alerts· Apr 6, 2026

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-35616 - Fortinet FortiClient EMS Improper Access Control Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks [xlite_meta score:58 src:CISA Alerts xlite_fp:233ffbb38f49108e6d20ba2e5ed0cdded1dbe3c3cec7ed6e086fdfd1300b90f0]

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS
The Hacker News· Apr 5, 2026

Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the wild. The vulnerability, tracked as CVE-2026-35616 (CVSS score: 9.1), has been described as a pre-authentication API access bypass leading to privilege escalation. "An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an [xlite_meta score:59 src:The Hacker News xlite_fp:b35e60a37c07fa1b7e841f244c5174ba8612ce7eb1b5c272c55cbd8eb073c32f]

All References (1)

Quick Facts

CVE IDCVE-2026-3561
CVSS Score8.0 / 10
SeverityHIGH
WeaknessCWE-122
CISA KEVNo
EPSS (30d)0.11%
PublishedMar 16, 2026

Related CVEs (CWE-122)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-3561 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.