FortiClient EMS under Attack: CVE-2026-35616 Deep Dive & Hardening

Just spotted the alert from Fortinet regarding CVE-2026-35616. They've released out-of-band patches for a critical flaw in FortiClient EMS that is already being exploited in the wild. With a CVSS score of 9.1, this is a drop-everything moment for anyone managing this infrastructure.

The vulnerability is a pre-authentication API access bypass (CWE-284) leading to privilege escalation. Essentially, attackers can hit the API before logging in to gain high-level privileges. This is particularly dangerous because EMS is the central management hub; compromising it gives an attacker control over all connected endpoints.

I've whipped up a quick PowerShell snippet to help identify vulnerable versions (adjust the version array based on the specific advisory bulletin):

# Check FortiClient EMS Service Version
$emsService = Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*FortiClient EMS*"}
$vulnerableBuilds = @("7.2.0", "7.2.1") # Verify exact builds in the advisory

if ($emsService -and $vulnerableBuilds -contains $emsService.Version) {
    Write-Host "[ALERT] Vulnerable FortiClient EMS detected: " -NoNewline; Write-Host $emsService.Version -ForegroundColor Red
} elseif ($emsService) {
    Write-Host "[INFO] Current Version: " -NoNewline; Write-Host $emsService.Version -ForegroundColor Cyan
} else {
    Write-Host "[WARN] FortiClient EMS not found via WMI."
}

Aside from patching, I highly recommend restricting access to the EMS management interface immediately. Is anyone seeing signs of active scanning on port 443 or 8013 in their environment?