Back to Intelligence

CVE-2026-35616: Fortinet FortiClient EMS Exploitation — Detection and Remediation Guide

SA
Security Arsenal Team
April 7, 2026
6 min read

Introduction

On April 6, 2026, CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. This vulnerability affects Fortinet FortiClient EMS (Endpoint Management System) and involves an Improper Access Control flaw. Given that EMS serves as the central management hub for FortiClient endpoints, a compromise here provides an attacker with a potent foothold to manipulate endpoint security policies, deploy malicious payloads, or exfiltrate sensitive device data.

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability by the specified due date. However, the active exploitation status in the wild means this is not just a compliance exercise—it is an immediate emergency for all organizations relying on Fortinet infrastructure.

Technical Analysis

  • CVE Identifier: CVE-2026-35616
  • Affected Product: Fortinet FortiClient EMS
  • Vulnerability Type: Improper Access Control (CWE-284)
  • Severity: Critical (Estimated CVSS v3.1 9.8+ based on KEV inclusion and impact)

Vulnerability Mechanics

FortiClient EMS is typically deployed on Windows Server to manage the FortiClient endpoint agent fleet. The vulnerability stems from an improper access control implementation within the EMS web interface or API. Specifically, the application fails to adequately validate user permissions on specific endpoints or functionalities.

This flaw allows a remote, unauthenticated attacker to bypass standard authentication checks. In practical terms, an attacker can send a specially crafted HTTP request to the EMS management interface (typically listening on port 443 or 8013) to gain administrative access or execute sensitive actions without valid credentials.

Exploitation Status

  • In-the-Wild: Confirmed. CISA has added this to the KEV catalog specifically due to observed active exploitation.
  • Attack Vector: Network. The attack requires only the ability to reach the EMS web interface.
  • Impact: Successful exploitation results in a complete takeover of the EMS management plane. From here, an adversary can disconnect endpoint protection, push malicious configurations to thousands of endpoints, or move laterally to the core network.

Detection & Response

Detecting this vulnerability requires focusing on the EMS management interface. Since the flaw involves unauthorized access to web resources, defenders should hunt for anomalous HTTP activity against the EMS server and post-exploitation activity resulting from web-shell-like behavior.

SIGMA Rules

YAML
---
title: FortiClient EMS Potential Exploitation - Anomalous API Access
id: 8a4b2c1d-9e6f-4a3b-8c2d-1f4e5a6b7c8d
status: experimental
description: Detects potential exploitation of CVE-2026-35616 via suspicious access patterns to FortiClient EMS API endpoints without standard authentication headers or known exploit paths.
references:
  - https://www.cisa.gov/news-events/alerts/2026/04/06/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
  - cve-2026-35616
logsource:
  category: webserver
  product: fortinet
detection:
  selection:
    c-uri|contains:
      - '/api/logon'
      - '/api/v1'
    cs-method: 'POST'
  filter_legit:
    sc-status: 
      - 200
      - 401
  condition: selection and not filter_legit
falsepositives:
  - Legitimate API scanning by administrators
  - Misconfigured monitoring tools
level: high
---
title: FortiClient EMS Service Spawning Windows Shell
id: 9c5d3e2f-0a7b-4c9d-8e1f-2a3b4c5d6e7f
status: experimental
description: Detects post-exploitation behavior where the FortiClient EMS Java service spawns cmd.exe or powershell.exe, indicative of RCE achieved via web interface exploitation.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
  - cve-2026-35616
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - '\FortiClientEMS\'
      - '\Apache Tomcat\'
      - '\Java\'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: all of selection_*
falsepositives:
  - Administrative maintenance via EMS console
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious access to FortiClient EMS Management Ports
// EMS typically runs on port 8013 or standard 443
let EMS_Port = 8013;
DeviceNetworkEvents
| where RemotePort == EMS_Port or LocalPort == EMS_Port
| where InitiatingProcessFileName !in ("FortiClientEMS.exe", "javaw.exe", "msiexec.exe")
| summarize count() by DeviceName, InitiatingProcessFileName, RemoteIP
| where count_ > 10
| project DeviceName, InitiatingProcessFileName, RemoteIP, count_


// Hunt for EMS Service spawning shells (Post-Exploitation)
DeviceProcessEvents
| where InitiatingProcessFolderPath contains @"Fortinet\FortiClientEMS" 
   or InitiatingProcessFileName =~ "java.exe"
| where ProcessVersionInfoCompanyName == "Fortinet" or InitiatingProcessCommandLine contains "fcems"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, CommandLine

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes spawned by FortiClient EMS or Java that are shells
SELECT Pid, Name, CommandLine, Exe, Username, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Parent.CommandLine AS ParentCmd
FROM pslist()
WHERE Name IN ('cmd.exe', 'powershell.exe', 'pwsh.exe')
  AND (Parent.Name =~ 'java.exe' 
       OR Parent.CommandLine =~ 'FortiClientEMS'
       OR ParentExe =~ 'FortiClientEMS')

Remediation Script (PowerShell)

PowerShell
# FortiClient EMS - Remediation Verification Script
# Checks service status and suggests patching for CVE-2026-35616

Write-Host "Checking FortiClient EMS Service Status..." -ForegroundColor Cyan

$serviceName = "FortiClient EMS Service"
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue

if ($service) {
    Write-Host "[+] Service Found: $($service.DisplayName)" -ForegroundColor Green
    Write-Host "    Status: $($service.Status)"
    Write-Host "    Start Type: $($service.StartType)"
    
    # Attempt to find installation path and version
    $regPath = "HKLM:\SOFTWARE\Fortinet\FortiClientEMS"
    if (Test-Path $regPath) {
        $installPath = (Get-ItemProperty $regPath).InstallPath
        if ($installPath) {
            Write-Host "    Install Path: $installPath"
            $exePath = Join-Path $installPath "FortiClientEMS.exe"
            if (Test-Path $exePath) {
                $versionInfo = (Get-Item $exePath).VersionInfo
                Write-Host "    Current Version: $($versionInfo.FileVersion)" -ForegroundColor Yellow
                Write-Host ""
                Write-Host "[!] ACTION REQUIRED:" -ForegroundColor Red
                Write-Host "    1. Verify this version against the Fortinet Advisory for CVE-2026-35616."
                Write-Host "    2. If the version is older than the fixed release, update immediately."
                Write-Host "    3. Ensure the EMS interface is not exposed to the public internet."
            }
        }
    }
} else {
    Write-Host "[-] FortiClient EMS Service not found on this host." -ForegroundColor Gray
}

Remediation

  1. Patch Immediately: Apply the security updates released by Fortinet for CVE-2026-35616. Ensure you are updating to the latest available build that addresses this specific Improper Access Control vulnerability. Check the Fortinet Security Advisory corresponding to CVE-2026-35616 for exact version numbers.

  2. Internet-Facing Exposure: FortiClient EMS is a management plane, not a user-facing service. Ensure that the management interface (ports 8013, 443, or 80) is not accessible from the internet. Restrict access strictly to internal management subnets via firewall ACLs or VPN requirements.

  3. Audit Logs: Review EMS access logs for the period leading up to the patch. Look for successful logins or API calls from unusual IP addresses or administrative accounts created around the time of suspicious activity.

  4. Credential Rotation: If exploitation is suspected, assume administrative credentials on the EMS platform are compromised. Rotate all EMS admin and database credentials immediately.

  5. CISA Deadline: Federal agencies must remediate this vulnerability by the due date specified in the KEV Catalog entry (typically within weeks of addition to KEV). Private sector entities should treat this timeline as a maximum target for completion.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchzero-dayfortinetcve-2026-35616forticlient-emscisa-kev

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action