Back to Intelligence

CVE-2026-35616: FortiClient EMS Exploitation — Detection, Hunting, and Hardening Guide

SA
Security Arsenal Team
May 28, 2026
6 min read

Introduction

A critical vulnerability affecting FortiClient Endpoint Management Server (EMS), tracked as CVE-2026-35616, is being actively exploited in the wild to deploy information-stealing malware. According to reports by Arctic Wolf, threat actors are leveraging this security flaw—patched by Fortinet in April—to bypass authentication and execute arbitrary code on vulnerable servers.

With a CVSS score of 9.1, this vulnerability represents a severe risk to organizations relying on FortiClient EMS for fleet management. The attack vector allows unauthenticated remote code execution (RCE), effectively handing control of the management server to attackers without requiring credentials. Once compromised, the EMS server becomes a beachhead for lateral movement and malware distribution. Defenders must treat this as an active emergency and prioritize patching, network segmentation, and threat hunting immediately.

Technical Analysis

  • Affected Product: FortiClient Endpoint Management Server (EMS)
  • CVE Identifier: CVE-2026-35616
  • CVSS Score: 9.1 (Critical)
  • Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') / Remote Code Execution (RCE)
  • Impact: Unauthenticated remote code execution allowing an attacker to take complete control of the EMS server.
  • Attack Chain:
    1. Initial Access: The attacker sends a specifically crafted HTTP request to the FortiClient EMS web interface.
    2. Exploitation: The request triggers a path traversal or deserialization flaw (depending on the specific endpoint targeted) that bypasses authentication checks.
    3. Execution: The server executes arbitrary commands or code within the context of the SYSTEM or high-privilege service account.
    4. Payload Deployment: The immediate follow-on observed in the wild is the deployment of information-stealing malware (e.g., payload droppers) to harvest credentials or sensitive data from the management server and connected endpoints.
  • Exploitation Status: Confirmed Active Exploitation. Arctic Wolf has observed malicious actors utilizing this flaw to drop payloads. It is expected to be added to the CISA KEV catalog shortly if not already present.

Detection & Response

Given the active exploitation status, SOC teams must assume that attempts against internet-facing EMS instances are ongoing. The following detection logic focuses on the behavioral outliers of a web application spawning system shells, which is highly anomalous for FortiClient EMS.

Sigma Rules

The following Sigma rules target the post-exploitation behavior where the EMS process spawns unauthorized child processes (cmd.exe, powershell.exe) or reaches out to suspicious external endpoints.

YAML
---
title: FortiClient EMS Spawning Windows Shell
id: 8a4f3d2e-1b9c-4f7d-9e6a-5c8b9d0e1f2a
status: experimental
description: Detects FortiClient EMS process spawning cmd.exe or powershell.exe, indicative of RCE exploitation.
references:
  - https://securityaffairs.com/192817/malware/cve-2026-35616-forticlient-ems-flaw-actively-exploited-in-malware-attacks.html
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.execution
  - attack.initial_access
  - attack.t1190
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - 'FortiClientEMS.exe'
      - 'FortiClientEMSAgent.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative debugging (rare)
level: critical
---
title: FortiClient EMS Suspicious Network Connection
id: 9b5e4f3a-2c0d-5g8h-0f7b-1d9c0e2f3a4b
status: experimental
description: Detects FortiClient EMS establishing outbound connections to non-standard ports, common in C2 beaconing.
references:
  - https://securityaffairs.com/192817/malware/cve-2026-35616-forticlient-ems-flaw-actively-exploited-in-malware-attacks.html
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|contains:
      - 'FortiClientEMS.exe'
    DestinationPort|notin:
      - '443'
      - '80'
      - '8013'
      - '514'
    Initiated: 'true'
  condition: selection
falsepositives:
  - Updates to FortiGuard or cloud management features
level: high

Microsoft Sentinel / Defender KQL

This KQL hunt query identifies processes spawned by the FortiClient EMS parent process, specifically looking for shells or script interpreters.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("FortiClientEMS", "FortiClientEMSAgent")
| where ProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "mshta.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

Use this VQL artifact to hunt for suspicious child processes of the EMS service on endpoints.

VQL — Velociraptor
-- Hunt for suspicious processes spawned by FortiClient EMS
SELECT Parent.ProcessName AS ParentName, 
       Parent.Pid AS ParentPid,
       Pid, 
       Name, 
       CommandLine, 
       Exe, 
       Username, 
       CreateTime
FROM pslist()
WHERE Parent.Name =~ "FortiClientEMS"
  AND Name =~ "(cmd|powershell|pwsh|cscript|wscript)\.exe"

Remediation Script (PowerShell)

This script assists in identifying the installed version of FortiClient EMS and checking the service status. Note: Always verify the specific version requirements in the official Fortinet advisory for CVE-2026-35616 before declaring a system safe.

PowerShell
# FortiClient EMS Health Check for CVE-2026-35616
# Requires Administrative Privileges

Write-Host "[+] Checking FortiClient EMS Service Status..." -ForegroundColor Cyan

$serviceName = "FortiClientEMS"
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue

if ($service) {
    Write-Host "[+] Service Found: $($service.DisplayName) - Status: $($service.Status)" -ForegroundColor Green
    
    # Attempt to find the executable path
    $path = (Get-WmiObject -Class Win32_Service -Filter "Name='$serviceName'").PathName
    if ($path) {
        $path = $path -replace '"', ''
        $path = Split-Path $path -Parent
        $exePath = Join-Path $path "FortiClientEMS.exe"
        
        if (Test-Path $exePath) {
            $fileInfo = Get-Item $exePath
            Write-Host "[+] Binary Path: $exePath" -ForegroundColor Yellow
            Write-Host "[+] File Version: $($fileInfo.VersionInfo.FileVersion)" -ForegroundColor Yellow
            Write-Host "[!] Please compare this version against the Fortinet Advisory for CVE-2026-35616." -ForegroundColor Red
        } else {
            Write-Host "[-] Could not locate FortiClientEMS.exe in expected path." -ForegroundColor Red
        }
    }
} else {
    Write-Host "[-] FortiClient EMS Service not found on this host." -ForegroundColor Gray
}

Write-Host "[+] Recommendation: If version is vulnerable, apply patches released in April 2026 immediately." -ForegroundColor Cyan
Write-Host "[+] Recommendation: Restrict management interface access (TCP 443/8013) to internal subnets only." -ForegroundColor Cyan

Remediation

  1. Patch Immediately: Apply the security patches released by Fortinet in April 2026. Ensure you are updated to a build that specifically addresses CVE-2026-35616. Check the Fortinet Security Advisory (FG-IR-24-XXX or similar) for the exact fixed versions.
  2. Network Segmentation: Ensure FortiClient EMS is not directly accessible from the internet. Place it behind a VPN or Zero Trust Access solution. Restrict inbound traffic to the EMS management ports (typically TCP 443 and 8013) to known management subnets only.
  3. Audit for Compromise: If your EMS was exposed and unpatched during the active exploitation window, assume compromise. Hunt for the process spawning behaviors defined in the Detection section and audit logs for suspicious account creation or data exports.
  4. Credential Rotation: If exploitation is confirmed, rotate all credentials stored within the EMS and any service accounts the EMS uses to manage endpoints.

Official Vendor Advisory: Refer to the Fortinet Security Advisories for the latest bulletin on CVE-2026-35616.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment Vulnerability Management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureforticlient-emscve-2026-35616rce

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action