# ============================================================================
# CYBERDUDEBIVASH SENTINEL APEX — Detection Pack
# Traceability:
#   CVE ............ CVE-2026-35616
#   Vendor / Product Fortinet / FortiClient EMS
#   CISA KEV ....... added 2026-04-06, federal remediation due 2026-04-09
#   Ransomware ..... Unknown
#   NVD ............ https://nvd.nist.gov/vuln/detail/CVE-2026-35616
#   KEV catalog .... https://www.cisa.gov/known-exploited-vulnerabilities-catalog
# Every claim in this rule's metadata is verifiable against the sources above.
# ============================================================================
title: Fortinet FortiClient EMS Anomalous API Access (CVE-2026-35616)
id: c13338c6-f70d-553a-8621-5b3d2d10ecf7
status: experimental
description: |
    Detects access to FortiClient EMS API/console endpoints from unexpected sources, consistent with exploitation of the improper-access-control vulnerability.
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-35616
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    - https://blog.cyberdudebivash.in/detections/
author: CYBERDUDEBIVASH SENTINEL APEX
date: 2026/07/05
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026.35616
logsource:
    category: webserver
detection:
    selection:
        cs-uri-stem|contains:
            - '/api/'
            - '/cgi-bin/'
            - '/console'
        sc-status: 200
    filter_corp_source:
        c-ip|cidr:
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
    condition: selection and not filter_corp_source
    fields:
        - c-ip
        - cs-uri-stem
        - cs-user-agent
falsepositives:
    - Managed endpoints checking in from expected corporate ranges — scope the source filter to those.
level: high
