Back to Intelligence

CVE-2026-35616: Fortinet FortiClientEMS Exploited in the Wild — Detection and Emergency Hardening

SA
Security Arsenal Team
April 6, 2026
5 min read

CVE-2026-35616: Fortinet FortiClientEMS Exploited in the Wild — Detection and Emergency Hardening

Introduction

We are observing active exploitation of CVE-2026-35616, a critical improper access control vulnerability affecting Fortinet FortiClientEMS (Enterprise Management Server). Fortinet released advisory FG-IR-26-099 on April 4, confirming that this vulnerability is being targeted in the wild. Given the history of Fortinet products being leveraged as initial access vectors for ransomware operations, Security Arsenal recommends immediate patching. This is not a theoretical risk; the unpatched status of many devices makes this a critical priority for SOC and IR teams.

Technical Analysis

  • CVE ID: CVE-2026-35616
  • Affected Product: Fortinet FortiClientEMS (Enterprise Management Server)
  • Vulnerability Type: Improper Access Control (CWE-284)
  • Severity: Critical (CVSS v3 score pending, but assessed as critical by vendor due to impact)
  • Advisory: FG-IR-26-099

Attack Mechanics

CVE-2026-35616 stems from an improper access control flaw within the FortiClientEMS server interface. An unauthenticated, remote attacker can send specially crafted requests to the vulnerable component to bypass authentication mechanisms.

While specific technical exploit details are currently under embargo to allow wider patch adoption, the attack surface typically involves the web management interface (usually ports 80/443 or custom management ports). Successful exploitation allows an attacker to:

  1. Bypass Authentication: Gain administrative access to the EMS management console without valid credentials.
  2. Execute Arbitrary Code: In many EMS exploitation scenarios, authentication bypass leads to Remote Code Execution (RCE) via deserialization or command injection within the underlying application server context.
  3. Lateral Movement: With control over EMS, attackers can manipulate managed endpoints, deploy payloads, or disable AV protections on the fleet.

Exploitation Status

  • Status: Confirmed Exploited in the Wild.
  • Public Exploit Code: Public security PoC code has been identified.
  • Patch Availability: Fortinet has released hotfixes. Immediate installation is required.

Detection & Response

Detecting the initial access attempt (the web request) can be difficult without deep packet inspection or specific WAF signatures. However, the post-exploitation behavior—specifically the web server process spawning a shell—is a reliable high-fidelity indicator of compromise for this class of vulnerability.

Sigma Rules

YAML
---
title: FortiClientEMS Spawning System Shell
id: 550d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects FortiClientEMS service spawning cmd.exe or powershell.exe, indicating potential post-exploitation activity or webshell execution.
references:
  - https://fortiguard.com/encyclopedia/ips/47755
  - https://www.tenable.com/blog/cve-2026-35616-fortinet-forticlientems-improper-access-control-vulnerability-exploited-in-the
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: \'FortiClientEMS.exe\'
    Image|endswith:
      - \'\cmd.exe\'
      - \'\powershell.exe\'
      - \'\pwsh.exe\'
  condition: selection
falsepositives:
  - Legitimate administrative debugging (rare)
level: critical
---
title: FortiClientEMS Suspicious File Creation
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects creation of executables or scripts within the FortiClientEMS directory tree by the EMS process itself, suggesting web upload or drop.
references:
  - https://attack.mitre.org/techniques/T1505/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  category: file_create
  product: windows
detection:
  selection:
    Image|endswith: \'FortiClientEMS.exe\'
    TargetFilename|contains: \'Fortinet\'
    TargetFilename|endswith:
      - \'.exe\'
      - \'.dll\'
      - \'.bat\'
      - \'.vbs\'
      - \'.ps1\'
  condition: selection
falsepositives:
  - Software updates or legitimate plugin installations
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious parent-child process relationships involving FortiClientEMS
DeviceProcessEvents
| where InitiatingProcessFileName =~ "FortiClientEMS.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, CommandLine, FileName, FolderPath
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for EMS process spawning shells
SELECT Parent.ProcessId AS ParentPid,
       Parent.Name AS ParentName,
       Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
LEFT JOIN pslist() AS Parent ON Parent.Pid = Ppid
WHERE Parent.Name =~ "FortiClientEMS.exe"
   AND (Name =~ "cmd.exe" OR Name =~ "powershell.exe" OR Name =~ "pwsh.exe")

Remediation Script (PowerShell)

This script audits the installed version of FortiClientEMS against the vulnerability. Note: Administrators must update the $safeVersion variable based on the specific hotfix build numbers provided in FG-IR-26-099.

PowerShell
# FortiClientEMS Vulnerability Auditor
# Checks for the presence of the vulnerable executable and version.

$targetPath = "${env:ProgramFiles(x86)}\Fortinet\FortiClientEMS"
$targetExe = "FortiClientEMS.exe"
$fullPath = Join-Path -Path $targetPath -ChildPath $targetExe

# NOTE: Update this version string with the HOTFIX version from the advisory.
# If the installed version is LOWER than this, the system is vulnerable.
# Example: "7.2.0.0" 
$safeVersion = "7.2.0.0" 

if (Test-Path $fullPath) {
    $fileInfo = Get-Item $fullPath
    $currentVersion = $fileInfo.VersionInfo.FileVersion
    Write-Host "[+] Detected FortiClientEMS at: $fullPath" -ForegroundColor Cyan
    Write-Host "[+] Installed Version: $currentVersion" -ForegroundColor Cyan
    
    if ([version]$currentVersion -lt [version]$safeVersion) {
        Write-Host "[!] ALERT: Version is vulnerable. Upgrade to $safeVersion or higher immediately." -ForegroundColor Red
        Write-Host "[!] Advisory: FG-IR-26-099" -ForegroundColor Red
    } else {
        Write-Host "[*] Version appears patched based on input baseline." -ForegroundColor Green
    }
} else {
    Write-Host "[-] FortiClientEMS not found at default path." -ForegroundColor Gray
}

Remediation

  1. Apply Hotfixes Immediately: Fortinet has released hotfixes for this vulnerability. Check Fortinet Advisory FG-IR-26-099 for the specific build number applicable to your version (7.0, 7.2, etc.).
  2. Restrict Network Access: If patching is delayed, restrict management interface access (HTTPS/HTTP) to the FortiClientEMS server strictly from trusted internal IP subnets or management VPNs. Do not expose the EMS interface directly to the internet.
  3. Audit for Compromise: Review logs for suspicious administrative logins or process execution spikes around the April 4 timeframe.
  4. Review Managed Endpoints: If the EMS server is compromised, verify that no malicious tasks or software were pushed to the managed FortiClient endpoints.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchzero-dayfortinetcve-2026-35616forticlientemsvulnerability-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action