Skip to content
Threat Feed
critical threat exploited

Critical Vulnerability CVE-2026-35616 Exploited in FortiClient EMS

CVE-2026-35616, a critical vulnerability in FortiClient EMS, allows unauthenticated remote attackers to execute arbitrary code or commands via crafted API requests due to improper access control, with Fortinet confirming active exploitation.

Fortinet has released a hotfix for CVE-2026-35616, a critical vulnerability affecting FortiClient EMS. This flaw enables unauthenticated remote attackers to execute unauthorized code or commands by sending specially crafted requests. The root cause is improper access control within the API authentication process. Fortinet has confirmed that CVE-2026-35616 is being actively exploited in the wild. This vulnerability poses a significant risk to organizations using FortiClient EMS, as successful exploitation could lead to complete system compromise. Defenders need to apply the hotfix immediately and monitor for suspicious activity.

Attack Chain

  1. An unauthenticated attacker identifies a vulnerable FortiClient EMS server.
  2. The attacker crafts a malicious API request designed to bypass authentication controls.
  3. The crafted request exploits the improper access control vulnerability (CVE-2026-35616) in the API authentication process.
  4. The vulnerable FortiClient EMS server processes the request without proper authentication.
  5. The attacker injects and executes arbitrary code or commands on the FortiClient EMS server.
  6. The attacker gains control of the FortiClient EMS server.
  7. The attacker could leverage the compromised server to manage endpoints, deploy malicious software, or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-35616 allows unauthenticated remote attackers to execute arbitrary code or commands on a FortiClient EMS server. This could lead to full compromise of the server, potentially impacting hundreds or thousands of managed endpoints. Attackers could leverage this access to deploy ransomware, steal sensitive data, or disrupt business operations. The observed exploitation in the wild indicates a high risk of widespread attacks.

Recommendation

  • Apply the Fortinet hotfix for CVE-2026-35616 to all FortiClient EMS servers immediately.
  • Deploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.
  • Monitor web server logs for unusual API requests targeting FortiClient EMS (see Sigma rules for examples).
  • Enable logging on FortiClient EMS servers to facilitate investigation of potential incidents.

Detection coverage 2

Detect CVE-2026-35616 Exploitation Attempts via API Requests

critical

Detects suspicious API requests indicative of CVE-2026-35616 exploitation attempts targeting FortiClient EMS.

sigma tactics: execution techniques: T1203 sources: webserver, linux

Detect CVE-2026-35616 Exploitation - Abnormal HTTP Status Code

high

Detects potential exploitation of CVE-2026-35616 based on abnormal HTTP status codes returned by the FortiClient EMS server after a POST request to authentication endpoints.

sigma tactics: execution techniques: T1203 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →