{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/forticlient/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-35616"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["fortinet","forticlient","ems","rce","cve-2026-35616"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-35616, has been identified in Fortinet FortiClient EMS versions 7.4.5 through 7.4.6. This vulnerability allows unauthenticated attackers to bypass API authentication and authorization checks, enabling them to execute arbitrary code or commands on the EMS server. FortiClient EMS is a centralized platform used to deploy, configure, and monitor FortiClient agents across an organization, making it a high-value target. The vulnerability is being actively exploited in the wild. Successful exploitation can lead to full compromise of the EMS infrastructure, impacting all managed endpoints and potentially enabling lateral movement across enterprise networks. Defenders should prioritize patching and enhance monitoring capabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable FortiClient EMS instance (versions 7.4.5 through 7.4.6) exposed on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP/API request targeting the unauthenticated API interface of the FortiClient EMS.\u003c/li\u003e\n\u003cli\u003eThe crafted request bypasses authentication and authorization checks due to improper access control (CWE-284).\u003c/li\u003e\n\u003cli\u003eThe bypassed access controls allow the attacker to execute unauthorized code or commands on the EMS server.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains control of administrative functionality on the FortiClient EMS server.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates or exfiltrates sensitive configuration and policy data stored on the EMS.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys malicious payloads to managed endpoints via the compromised EMS server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised EMS as a foothold for further network intrusion or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35616 can lead to a full compromise of the FortiClient EMS infrastructure. This includes the ability to manipulate or exfiltrate sensitive configuration and policy data, corrupt or disable endpoint protections, disrupt endpoint management services, and deploy malicious payloads to managed endpoints. The vulnerability enables lateral movement across enterprise networks. The CCB has confirmed that this vulnerability has been exploited in the wild.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest Fortinet patch for FortiClient EMS to remediate CVE-2026-35616 immediately.\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion as recommended by the CCB.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting unauthorized API access to the FortiClient EMS webserver to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T15:08:28Z","date_published":"2026-04-07T15:08:28Z","id":"/briefs/2026-04-forticlient-ems-rce/","summary":"A critical vulnerability, CVE-2026-35616, exists in Fortinet FortiClient EMS (Endpoint Management Server) allowing unauthenticated attackers to bypass API authentication and authorization checks to execute arbitrary code or commands, potentially leading to full compromise of the EMS infrastructure.","title":"Fortinet FortiClient EMS Unauthenticated Remote Code Execution via CVE-2026-35616","url":"https://feed.craftedsignal.io/briefs/2026-04-forticlient-ems-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-35616"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["fortinet","forticlient","ems","cve-2026-35616","vulnerability"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eFortinet has released a hotfix for CVE-2026-35616, a critical vulnerability affecting FortiClient EMS. This flaw enables unauthenticated remote attackers to execute unauthorized code or commands by sending specially crafted requests. The root cause is improper access control within the API authentication process. Fortinet has confirmed that CVE-2026-35616 is being actively exploited in the wild. This vulnerability poses a significant risk to organizations using FortiClient EMS, as successful exploitation could lead to complete system compromise. Defenders need to apply the hotfix immediately and monitor for suspicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable FortiClient EMS server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request designed to bypass authentication controls.\u003c/li\u003e\n\u003cli\u003eThe crafted request exploits the improper access control vulnerability (CVE-2026-35616) in the API authentication process.\u003c/li\u003e\n\u003cli\u003eThe vulnerable FortiClient EMS server processes the request without proper authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker injects and executes arbitrary code or commands on the FortiClient EMS server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the FortiClient EMS server.\u003c/li\u003e\n\u003cli\u003eThe attacker could leverage the compromised server to manage endpoints, deploy malicious software, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35616 allows unauthenticated remote attackers to execute arbitrary code or commands on a FortiClient EMS server. This could lead to full compromise of the server, potentially impacting hundreds or thousands of managed endpoints. Attackers could leverage this access to deploy ransomware, steal sensitive data, or disrupt business operations. The observed exploitation in the wild indicates a high risk of widespread attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the Fortinet hotfix for CVE-2026-35616 to all FortiClient EMS servers immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests targeting FortiClient EMS (see Sigma rules for examples).\u003c/li\u003e\n\u003cli\u003eEnable logging on FortiClient EMS servers to facilitate investigation of potential incidents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T20:37:27Z","date_published":"2026-04-06T20:37:27Z","id":"/briefs/2026-04-forticlient-ems-cve-2026-35616/","summary":"CVE-2026-35616, a critical vulnerability in FortiClient EMS, allows unauthenticated remote attackers to execute arbitrary code or commands via crafted API requests due to improper access control, with Fortinet confirming active exploitation.","title":"Critical Vulnerability CVE-2026-35616 Exploited in FortiClient EMS","url":"https://feed.craftedsignal.io/briefs/2026-04-forticlient-ems-cve-2026-35616/"}],"language":"en","title":"CraftedSignal Threat Feed — Forticlient","version":"https://jsonfeed.org/version/1.1"}