Back to Intelligence

CVE-2026-35616: FortiClient EMS Actively Exploited — Detection and Patching Guide

SA
Security Arsenal Team
April 12, 2026
6 min read

Introduction

Fortinet has released out-of-band security patches for a critical vulnerability in FortiClient EMS (Endpoint Management System), tracked as CVE-2026-35616. This flaw carries a CVSS score of 9.1 and is classified as an Improper Access Control vulnerability (CWE-284).

The urgency of this bulletin cannot be overstated: active exploitation in the wild has been confirmed. This is not a theoretical risk. Adversaries are currently leveraging this pre-authentication API access bypass to gain unauthorized privileges on management servers. For defenders, this represents a critical pathway to a full domain compromise, as FortiClient EMS often holds high-privileged service accounts and controls endpoints across the enterprise. Immediate containment and patching are required.

Technical Analysis

  • Affected Product: FortiClient EMS (Enterprise Management Server)
  • CVE Identifier: CVE-2026-35616
  • CVSS Score: 9.1 (Critical)
  • Vulnerability Type: Pre-authentication API Access Bypass / Improper Access Control (CWE-284)
  • Impact: Unauthorized Privilege Gain (Remote Code Execution potential)

Attack Mechanics

CVE-2026-35616 resides in the API handling component of FortiClient EMS. The vulnerability allows an unauthenticated attacker to bypass standard access controls via a specific API endpoint.

The Attack Chain:

  1. Reconnaissance: Attacker identifies exposed FortiClient EMS management interfaces (typically TCP ports 8013, 443, or custom ports) on the internet or internal network.
  2. Exploitation (Pre-auth): Attacker sends a specially crafted HTTP request to a vulnerable API endpoint. Due to the improper access control, the server processes the request without validating the user session.
  3. Privilege Escalation: The API call triggers a logic flaw that grants the attacker administrative or high-privileged access to the underlying system or the EMS application database.
  4. Objectives: With system-level access, attackers can deploy ransomware, dump credentials for lateral movement, or push malicious configuration updates to managed endpoints.

Exploitation Status

CONFIRMED ACTIVE EXPLOITATION. Fortinet and reporting outlets have verified that this vulnerability is being utilized in real-world attacks. Given the severity (CVSS 9.1) and the availability of exploits, this should be treated as a mass-exploitation event.

Detection & Response

This section provides actionable detection logic to identify potential exploitation attempts against FortiClient EMS or successful compromise of the EMS server.

SIGMA Rules

YAML
---
title: FortiClient EMS Pre-Auth API Access Attempt
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential pre-authentication API access attempts against FortiClient EMS by identifying suspicious API endpoints accessed without a valid session token or referrer.
references:
  - https://fortiguard.com/encyclopedia?type=ips&id=45000  
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: webserver
  product: iis
detection:
  selection:
    c-uri|contains:
      - '/api/v1/'
      - '/api/v2/'
      - '/rpc/'
    cs-uri-query|contains:
      - 'uid='
      - 'session='
  filter:
    cs-cookie|contains: 'FCSESSID='
  condition: selection and not filter
falsepositives:
  - Legitimate administrative API access from non-standard clients
level: high
---
title: FortiClient EMS Service Spawning Shell
id: 9b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the FortiClient EMS Windows service spawning cmd.exe or powershell.exe, a common post-exploitation behavior following privilege escalation.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: \\FortiClientEMSService.exe
    Image|endswith:
      - \\cmd.exe
      - \\powershell.exe
      - \\pwsh.exe
  condition: selection
falsepositives:
  - Legitimate administrative debugging (rare)
level: critical
---
title: Suspicious File Writes in FortiClient EMS Directory
id: 0c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects creation of executables or scripts within the FortiClient EMS installation directory by users other than the installer or service account.
references:
  - https://attack.mitre.org/techniques/T1105/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.lateral_movement
  - attack.t1105
logsource:
  category: file_create
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\\FortiClient EMS\\'
    TargetFilename|endswith:
      - '.exe'
      - '.dll'
      - '.ps1'
      - '.bat'
  filter:
    User|contains:
      - 'SYSTEM'
      - 'Administrator'
  condition: selection and not filter
falsepositives:
  - Software updates or legitimate plugin installations
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious API access patterns on IIS servers hosting FortiClient EMS
// Look for 200 OK responses to API endpoints without authentication headers
let EMS_Servers = DeviceProcessEvents
| where ProcessName contains "FortiClientEMSService.exe"
| distinct DeviceName;
W3CIISLog
| where ComputerName in (EMS_Servers)
| where scStatus == 200
| where csUriStem has "/api/"
| where isnull(csCookie) or csCookie !contains "FCSESSID"
| project TimeGenerated, ComputerName, cIP, csUriStem, csUriQuery, csUserAgent, scStatus
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious child processes spawned by FortiClient EMS Service
SELECT Parent.ProcessName AS ParentProcess, Parent.Pid AS ParentPid,
       Process.Name AS ProcessName, Process.Pid, Process.CommandLine,
       Process.Username, Process.CreateTime
FROM pslist()
LEFT JOIN pslist() AS Parent ON Process.Ppid = Parent.Pid
WHERE Parent.ProcessName =~ "FortiClientEMSService.exe"
  AND Process.Name =~ "(cmd.exe|powershell.exe|pwsh.exe|wscript.exe|cscript.exe)"

Remediation Script (PowerShell)

PowerShell
# Check FortiClient EMS Version for CVE-2026-35616 Vulnerability
# Note: Update the $SafeVersion variable based on the official Fortinet advisory

$SafeVersion = "7.4.2" # Example placeholder, verify exact patched version in Fortinet advisory
$RegistryPath = "HKLM:\SOFTWARE\Fortinet\FortiClientEMS"
$CurrentVersion = $null

if (Test-Path $RegistryPath) {
    $CurrentVersion = (Get-ItemProperty -Path $RegistryPath -ErrorAction SilentlyContinue).DisplayVersion
    
    if ($CurrentVersion) {
        Write-Host "Detected FortiClient EMS Version: $CurrentVersion" -ForegroundColor Cyan
        
        # Simple version comparison logic (adjust for complex version strings)
        if ([version]$CurrentVersion -lt [version]$SafeVersion) {
            Write-Host "[VULNERABLE] System is running a version vulnerable to CVE-2026-35616." -ForegroundColor Red
            Write-Host "Action Required: Patch to $SafeVersion or higher immediately." -ForegroundColor Yellow
        }
        else {
            Write-Host "[OK] System appears to be patched." -ForegroundColor Green
        }
    }
    else {
        Write-Host "Unable to determine version from registry." -ForegroundColor Yellow
    }
}
else {
    Write-Host "FortiClient EMS not found on this system." -ForegroundColor Gray
}

Remediation

  1. Patch Immediately: Apply the out-of-band patches released by Fortinet. Ensure you are upgrading to a version that specifically addresses CVE-2026-35616.
    • Vendor Advisory: Refer to the Fortinet PSIRT Advisory for the exact build numbers.
  2. Restrict Management Access: As part of the principle of least privilege, ensure the FortiClient EMS management interface is not accessible from the internet. Place it behind a VPN or Zero Trust Access solution. If external access is required, enforce strict IP allow-listing via firewall rules.
  3. Audit for Compromise: If your EMS server was exposed and unpatched during the active exploitation window, assume compromise. Hunt for the indicators listed above (unusual service account logins, spawned shells) and rotate credentials for the service account and any domain accounts accessible via the EMS console.
  4. Update Agents: After patching the EMS server, ensure managed endpoints are communicating and have received the latest configuration updates to prevent secondary infections.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchzero-dayfortinetcve-2026-35616forticlient-emsvulnerability-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action