FortiClient EMS Zero-Day (CVE-2026-35616): Patch ASAP

Heads up, everyone. Fortinet just dropped an out-of-band patch for a critical vulnerability in FortiClient EMS (CVE-2026-35616). It's rated a 9.1 on the CVSS scale, and yes, it's being actively exploited in the wild.

The flaw is an Improper Access Control vulnerability (CWE-284) that allows for pre-authentication API access bypass. Essentially, an unauthenticated attacker can hit specific API endpoints and escalate privileges. Given that EMS is the central management console, this gives an attacker the keys to the kingdom—remote code execution on all connected endpoints is likely the endgame here.

If you haven't patched, verify your build immediately. Do not rely on the dashboard alone if you suspect compromise.

Here is a quick PowerShell snippet to check the installed version on your EMS servers:

Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*FortiClient*EMS*"} | Select-Object Name, Version

For detection, start hunting your web server logs (usually IIS) for anomalous API calls. Since it's a bypass, look for successful POST or PUT requests to administrative API routes without a preceding authentication event or valid session token.

Example KQL query for Sentinel/Defender:

DeviceNetworkEvents
| where RemoteUrl contains "/api" and ActionType == "HttpResponse"
| where ResponseCode == 200
| where InitiatingProcessFileName != "FortiClientEMS.exe"
| project Timestamp, DeviceName, RemoteUrl, RequestBody


Is anyone else seeing scanning activity against port 443 or the specific API endpoints on their EMS instances today?