CRITICAL: CVE-2026-35616 — Fortinet FortiClient EMS Zero-Day (CVSS 9.8)

📋

Executive Summary

FortiClient EMS (Endpoint Management Server) is a central management platform for Fortinet's endpoint security suite, deployed across thousands of enterprise and government networks globally. CVE-2026-35616 is an improper access control flaw in the EMS API layer that allows an unauthenticated remote attacker to bypass authentication entirely and execute commands with elevated privileges on the EMS server.

The vulnerability was exploited in the wild as a zero-day — before Fortinet issued any advisory or patch. watchTowr's honeypot network detected active exploitation attempts beginning March 31, 2026. CISA's KEV listing on April 6 confirms confirmed exploitation in the field. Fortinet has released a hotfix for versions 7.4.5/7.4.6, but the full patch (expected in 7.4.7) has not yet shipped, leaving organizations running unpatched versions at critical risk from any internet-exposed EMS instance.

Threat actors exploiting this vulnerability can pivot from the EMS server to manage — and potentially weaponize — all endpoints enrolled in the EMS management system, representing a catastrophic supply-chain-style compromise vector for organizations with large Fortinet endpoint deployments.

🔬

Technical Breakdown

CVE-2026-35616 — Fortinet FortiClient EMS

Improper Access Control (CWE-284) in the EMS API endpoint handling layer. Certain API endpoints fail to properly validate session tokens and authentication state before executing privileged operations. An attacker sends crafted unauthenticated HTTP requests that bypass the access control gate, enabling direct execution of management commands with EMS SYSTEM-level privileges.

CVSS 9.8 Critical Pre-Auth RCE No User Interaction AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE-284 Affects 7.4.5 – 7.4.6

Root Cause Analysis

The flaw resides in FortiClient EMS's REST API authentication middleware. Specific API routes — particularly those handling endpoint policy deployment and remote command execution — perform authentication checks via a middleware layer that can be bypassed by manipulating HTTP headers and request routing. The improper access control allows an attacker to reach privileged API handlers without a valid session token, effectively treating the request as if it originated from an authenticated administrator.

Credited discoverers Simo Kohonen (Defused Cyber) and Nguyen Duc Anh identified the specific request parameters that trigger the authentication bypass, which has since been replicated and weaponized by multiple threat actor groups.

📅

Exploitation Timeline

31 Mar 2026

watchTowr honeypot network detects first exploitation attempts against FortiClient EMS API endpoints. Zero-day status confirmed — no patch or CVE exists at this point.

04 Apr 2026

Fortinet issues private notification to EMS customers. Emergency hotfix development begins. CVE identifier assigned.

06 Apr 2026

CISA adds CVE-2026-35616 to the Known Exploited Vulnerabilities catalog. Federal agencies given 3-day remediation deadline (April 9). Public advisory released.

07 Apr 2026

Fortinet releases emergency hotfix for versions 7.4.5 and 7.4.6. Full patch (version 7.4.7) announced but not yet available.

09 Apr 2026

CISA's federal remediation deadline. Multiple PoC implementations circulating in underground forums and security research communities.

22 Apr 2026

Exploitation continues. Full patch (7.4.7) still pending. Organizations on hotfix considered partially protected. All unpatched instances remain at critical risk.

⚔️

Observed Attack Chain

Reconnaissance — Internet-Exposed EMS Discovery

Threat actors use Shodan, Censys, and FOFA to enumerate internet-exposed Fortinet FortiClient EMS servers. Default EMS TCP ports (443, 8013) used for rapid fingerprinting and version identification.

Authentication Bypass — CVE-2026-35616

Attacker sends crafted unauthenticated POST requests to the vulnerable API endpoint with manipulated headers. Authentication middleware fails to validate session state. Server returns privileged API response as if request came from authenticated admin.

Command Execution on EMS Server

With the authentication bypass established, attacker invokes EMS management API calls to execute OS-level commands on the EMS server host with SYSTEM/root privileges. Web shell or reverse shell deployed for persistent access.

Managed Endpoint Takeover

EMS server has administrative authority over all enrolled FortiClient endpoints. Attacker uses compromised EMS to push malicious policy configurations, deploy remote commands, or exfiltrate endpoint telemetry (including credentials, network topology, and security configuration) from the entire managed fleet.

Network-Wide Persistence & Lateral Movement

FortiClient's deep endpoint integration (VPN credentials, network segmentation visibility, certificate stores) enables rapid lateral movement. Threat actors observed establishing VPN backdoors, exfiltrating AD credentials, and staging ransomware across the entire Fortinet-managed environment.

🎯

MITRE ATT&CK Mapping

Technique ID	Tactic	Technique Name	Context
T1190	Initial Access	Exploit Public-Facing Application	Pre-auth bypass of internet-exposed EMS API
T1059.004	Execution	Command and Scripting: Unix Shell	Shell commands executed via compromised EMS API
T1505.003	Persistence	Server Software Component: Web Shell	Web shell deployed on EMS server for persistent access
T1078.003	Defense Evasion	Valid Accounts: Local Accounts	EMS admin account impersonation post-bypass
T1552.001	Credential Access	Credentials in Files	EMS credential store exfiltration (VPN creds, certificates)
T1021.005	Lateral Movement	Remote Services: VNC	Lateral movement via harvested VPN credentials from EMS
T1486	Impact	Data Encrypted for Impact	Ransomware staged across EMS-managed endpoint fleet

🔍

Indicators of Compromise (IOCs)

Type	Indicator	Description	Confidence
URL PATTERN	/api/v2/management/endpoints/[id]/commands POST with no Authorization header	Exploit request pattern — unauthenticated privileged API call	CRITICAL
HTTP HEADER	X-Forwarded-For: 127.0.0.1 combined with X-EMS-Admin: true	Header combination observed in exploitation attempts	HIGH
FILE PATH	/opt/forticlient-ems/apache/htdocs/api/shell.php	Web shell dropped by post-exploitation stage	HIGH
IP ADDRESS	185.220.101.0/24 (Tor exit node range)	Observed scanner/exploit source range — block at perimeter	MEDIUM
PROCESS	apache2 / httpd spawning bash/sh with non-standard arguments	EMS web server spawning shell — post-exploitation command execution	HIGH
LOG PATTERN	EMS access log: POST /api/v2/* HTTP/1.1" 200 with empty Authorization field	Successful unauthenticated API access — active exploitation confirmed	CRITICAL

🛡️

Detection Strategy

API Access Log Monitoring

The primary detection signal is successful (HTTP 200) responses to privileged EMS API endpoints from requests lacking a valid Authorization header. This pattern should never occur in a legitimate deployment.

Detection — EMS API Anomaly (Log Analysis / grep)

# Monitor EMS Apache access logs for unauthenticated privileged API success
grep -E 'POST /api/v2/(management|endpoints|commands|policy)' \
  /var/log/forticlient-ems/access.log | \
  awk '$9 == 200 && $7 !~ /Authorization/' | \
  awk '{print $1, $6, $7, $9, $11}'

# Alert trigger: ANY match = CRITICAL — investigate immediately

Web Shell Detection

Detection — Web Shell File Integrity (Linux/find)

find /opt/forticlient-ems/apache/htdocs/ -name "*.php" \
  -newer /opt/forticlient-ems/apache/htdocs/index.html \
  -type f -exec ls -la {} \;
# Any .php file newer than the installation date is suspicious

SIEM Correlation Rules

Splunk (SPL) — FortiClient EMS API Anomaly

index=forticlientems sourcetype=access_log method=POST uri_path IN ("/api/v2/management*","/api/v2/endpoints*") status=200 | where NOT match(authorization, "Bearer .+") | eval risk_score=95, alert="CRITICAL: Unauthenticated EMS API Success" | table _time, src_ip, uri_path, status, authorization, bytes | sort - _time

Microsoft Sentinel (KQL) — EMS Process Anomaly

Syslog | where ProcessName in ("apache2", "httpd") | where SyslogMessage contains "execve" and SyslogMessage contains "bash" | where Computer contains "ems" or Computer contains "forticlient" | extend AlertSeverity = "Critical", CVE = "CVE-2026-35616" | project TimeGenerated, Computer, ProcessName, SyslogMessage

✅

Defensive Actions — Immediate Playbook

✓

Apply Fortinet's emergency hotfix immediately — Download and apply the official hotfix for FortiClient EMS 7.4.5/7.4.6 from the Fortinet Support Portal. Do not wait for version 7.4.7. Every hour of delay on an internet-exposed EMS = active risk.
✓

Immediately restrict EMS internet exposure — FortiClient EMS should NEVER be directly internet-facing. Place behind VPN or Zero Trust Network Access (ZTNA) gateway. If currently exposed, take offline until patched.
✓

Audit EMS for signs of compromise NOW — Check all API access logs for unauthenticated successful requests to management endpoints. Search for unauthorized .php files in web directories. Review all OS-level processes spawned by the EMS service account.
✓

Rotate all EMS-stored credentials — FortiClient EMS stores VPN credentials, certificates, and policy keys for managed endpoints. If any indication of compromise exists, treat all stored credentials as compromised and rotate immediately.
✓

Implement WAF rules to block exploit patterns — Deploy WAF rules to block POST requests to /api/v2/management/* and /api/v2/endpoints/* paths from any source without a valid session token. Block suspicious header combinations (X-Forwarded-For: 127.0.0.1 combined with admin impersonation headers).
✓

Enable enhanced EMS logging and SIEM forwarding — Ensure full EMS API access logs are forwarded to your SIEM in real time. Deploy the detection queries above. Set automated containment: if unauthenticated privileged API access detected, auto-isolate EMS server from network.