CVE-2026-35616 is a critical authentication bypass vulnerability affecting Fortinet FortiClient endpoints. Active exploitation has been confirmed in the wild, making this a priority for all SOC and IR teams.
Introduction
Fortinet has released an emergency out-of-band patch addressing a critical authentication bypass flaw, tracked as CVE-2026-35616, in its widely deployed FortiClient endpoint security solution. This vulnerability is the latest in a disturbing trend of Fortinet zero-days being leveraged by threat actors. Given the role of FortiClient in secure remote access (SSL VPN) and endpoint posture enforcement, a successful bypass effectively undermines the perimeter defense, allowing attackers to gain unauthorized network access without valid credentials.
Defenders must treat this with the same urgency as a boundary breach. If your organization uses FortiClient, you are currently in a vulnerable state until patches are verified.
Technical Analysis
- Affected Product: FortiClient (Windows)
- CVE Identifier: CVE-2026-35616
- CVSS Score: 9.8 (Critical) – Estimated based on auth bypass impact
- Vulnerability Type: Authentication Bypass
How it Works: The vulnerability resides in the FortiClient agent's handling of authentication sessions. Specifically, the flaw allows an attacker to bypass the authentication check for the SSL VPN or EMS (Enterprise Management Server) communication. By sending a specifically crafted request to the vulnerable component, an unauthenticated attacker can impersonate a legitimate user.
From a defender's perspective, this means the "trust" established by the endpoint agent—verifying the machine's compliance before granting network access—can be circumvented. Attackers do not need to steal credentials; they simply trick the client or the gateway into believing they are already authenticated.
Exploitation Status: Threat intelligence indicates that this vulnerability has been exploited in the wild. It is highly probable that initial access brokers (IABs) are scanning for vulnerable FortiClient versions to establish a foothold in target networks ahead of ransomware operations.
Detection & Response
Detecting an authentication bypass is challenging because the traffic may appear legitimate to standard firewall logs (post-bypass). However, we can detect the mechanics of the exploit or the post-exploitation behavior.
Sigma Rules
---
title: FortiClient Potential Exploitation - Suspicious Child Process
id: 9a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects when FortiClient processes spawn suspicious shells or utilities, often indicating exploit code execution or injection.
references:
- https://www.darkreading.com/vulnerabilities-threats/fortinet-emergency-patch-forticlient-zero-day
author: Security Arsenal
date: 2026/02/10
tags:
- attack.execution
- attack.t1059.001
- cve.2026.35616
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains:
- '\FortiClient.exe'
- '\FortiESNAC.exe'
- '\FortiSSLVPN.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
condition: all of selection_*
falsepositives:
- Legitimate administrator debugging (Rare)
level: high
---
title: FortiClient Potential Exploitation - Memory Modification Access
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects unusual access patterns targeting FortiClient process memory, which may indicate an attempt to bypass auth controls via memory manipulation.
references:
- https://www.darkreading.com/vulnerabilities-threats/fortinet-emergency-patch-forticlient-zero-day
author: Security Arsenal
date: 2026/02/10
tags:
- attack.defense_evasion
- attack.t1054.001
- cve.2026.35616
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|contains:
- '\FortiClient.exe'
- '\FortiESNAC.exe'
GrantedAccess|contains:
- '0x1F0FFF' # PROCESS_ALL_ACCESS
- '0x1010' # VM_READ|VM_WRITE
SourceImage|notcontains:
- '\Program Files\Fortinet'
- '\Program Files (x86)\Fortinet'
condition: selection
falsepositives:
- Antivirus/EDR self-protection scans
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for suspicious child processes spawned by FortiClient
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("FortiClient.exe", "FortiESNAC.exe", "FortiSSLVPN.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "bash.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName
| order by Timestamp desc
Velociraptor VQL
-- Hunt for FortiClient processes and their suspicious children
SELECT Parent.Pid AS ParentPid,
Parent.Name AS ParentName,
Pid,
Name,
CommandLine,
Username
FROM pslist()
LEFT JOIN pslist() AS Parent ON Parent.Pid = Ppid
WHERE Parent.Name =~ "FortiClient"
AND Name =~ "(cmd|powershell|wscript|cscript)\.exe"
Remediation Script (PowerShell)
<#
.SYNOPSIS
Check and remediate FortiClient versions vulnerable to CVE-2026-35616.
.DESCRIPTION
This script checks the installed FortiClient version against the fixed version (7.4.3).
If the version is vulnerable, it prompts the administrator to update immediately.
NOTE: Update the $FixedVersion variable if the advisory changes.
#>
$FixedVersion = "7.4.3"
$Vulnerable = $false
# Registry path for FortiClient
$RegPaths = @(
"HKLM:\SOFTWARE\Fortinet\FortiClient",
"HKLM:\SOFTWARE\Wow6432Node\Fortinet\FortiClient"
)
foreach ($Path in $RegPaths) {
if (Test-Path $Path) {
$InstalledVersion = (Get-ItemProperty -Path $Path -ErrorAction SilentlyContinue)."Version Information"
# FortiClient often stores version in different formats or subkeys, checking common locations
if (-not $InstalledVersion) {
$InstalledVersion = (Get-ItemProperty -Path "$Path\Tasks" -ErrorAction SilentlyContinue).Version
}
if ($InstalledVersion) {
Write-Host "[+] Found FortiClient Version: $InstalledVersion"
# Simple version comparison logic (assumes standard Major.Minor.Build format)
if ([version]$InstalledVersion -lt [version]$FixedVersion) {
Write-Host "[!] ALERT: Installed version is VULNERABLE to CVE-2026-35616." -ForegroundColor Red
Write-Host "[!] Current: $InstalledVersion | Required: $FixedVersion or higher" -ForegroundColor Red
$Vulnerable = $true
} else {
Write-Host "[*] System is patched." -ForegroundColor Green
}
}
}
}
if ($Vulnerable) {
Write-Host "[ACTION REQUIRED] Please download the latest FortiClient from Fortinet Support immediately."
Write-Host "https://www.fortiguard.com/psirt"
} else {
Write-Host "No vulnerable FortiClient installation detected via registry checks."
}
Remediation
- Patch Immediately: Apply the emergency patch released by Fortinet. Ensure all FortiClient endpoints are updated to version 7.4.3 or later (or the specific patched version listed in the official advisory for your track).
- Verify SSL VPN Logs: Conduct a retroactive hunt on VPN logs for successful logins that do not have corresponding MFA success events or originate from anomalous geolocations.
- Isolate Compromised Hosts: If exploitation is detected, isolate the affected endpoint from the network immediately. Assume the attacker has established persistence.
- Official Advisory: Review the full technical details at the Fortinet Security Advisory and the CISA Known Exploited Vulnerabilities Catalog.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.