CVE-2026-35616 — Fortinet FortiClient EMS Improper Access Control Exploitation
Detects exploitation attempts targeting CVE-2026-35616, an improper access control vulnerability (CWE-284) in Fortinet FortiClient Enterprise Management Server (EMS). This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may leverage this flaw to bypass access controls on the EMS server, potentially enabling unauthorized configuration changes, endpoint agent manipulation, or lateral movement through managed endpoints.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Fortinet
- Product
- FortiClient EMS
Weakness (CWE)
Timeline
- Disclosed
- April 6, 2026
References & Proof of Concept
CVSS
What is CVE-2026-35616 CVE-2026-35616 — Fortinet FortiClient EMS Improper Access Control Exploitation?
CVE-2026-35616 — Fortinet FortiClient EMS Improper Access Control Exploitation (CVE-2026-35616) maps to the Initial Access and Persistence and Privilege Escalation and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-35616 — Fortinet FortiClient EMS Improper Access Control Exploitation, covering the data sources and telemetry it touches: CommonSecurityLog, DeviceEvents, AzureActivity. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union
(
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor =~ "Fortinet"
| where DeviceProduct has_any ("FortiClient", "EMS", "FortiClient EMS")
| where Activity has_any ("access denied", "authorization failure", "improper access", "privilege escalation", "unauthorized", "access control bypass")
| project TimeGenerated, DeviceVendor, DeviceProduct, Activity, SourceIP, DestinationIP, DestinationPort, RequestURL, AdditionalExtensions, Message
),
(
DeviceEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName has_any ("FortiEMSAgent", "fcems", "fcemsvc")
| where ActionType has_any ("ProcessCreated", "NetworkConnectionInspected", "RegistryValueSet")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, RemoteIP, RemotePort, RegistryKey
),
(
AzureActivity
| where TimeGenerated > ago(7d)
| where Properties has "FortiClient"
| where ActivityStatus =~ "Failed"
| project TimeGenerated, Caller, CallerIpAddress, OperationName, ResourceGroup, ActivityStatus, Properties
)
| sort by TimeGenerated descHunts for CVE-2026-35616 exploitation signals across Fortinet CommonSecurityLog events, endpoint device events involving FortiClient EMS processes, and Azure activity anomalies. Surfaces access control failures, unauthorized requests, and abnormal process behaviour on EMS-managed hosts.
Data Sources
Required Tables
False Positives
- Legitimate FortiClient EMS administrative operations generating access-denied log entries during policy re-evaluation
- Routine endpoint health checks or agent updates that briefly trigger authorization warnings
- Penetration testing or red team exercises against EMS infrastructure with prior written authorisation
- Misconfigured EMS policies causing legitimate users to hit access control boundaries during normal operations
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-35616 — Fortinet FortiClient EMS Improper Access Control Exploitation (CVE-2026-35616) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azureBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-35616
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1FortiClient EMS Unauthenticated API Endpoint Probe
Expected signal: Web server access log entries on EMS showing HTTP requests to API paths from an unknown source IP, with response codes logged. Network flow records show connections from test host to EMS port 8013.
- Test 2FortiClient EMS Privilege Escalation via Access Control Bypass (Simulated)
Expected signal: EMS audit log entries recording the low-privilege user's access attempts to admin-tier endpoints. Windows Security Event Log 4648 if token acquisition involved explicit credential use.
- Test 3FortiClient EMS Management Port Reconnaissance from External Network Segment
Expected signal: Network IDS/IPS alerts for port scan activity targeting EMS management ports. Firewall deny logs if EMS ports are restricted. NetFlow records showing probe connections from test segment to EMS IP.
- Test 4FortiClient Agent Mass Policy Modification via Compromised EMS
Expected signal: EMS audit log entry recording policy creation event with the admin token's associated username. API access log entry for POST to /api/v1/policies. Managed endpoint logs showing receipt of new policy push if EMS propagates it.
Unlock Pro Content
Get the full detection package for CVE-2026-35616 including response playbook, investigation guide, and atomic red team tests.