Detect CVE-2026-35616 — Fortinet FortiClient EMS Improper Access Control Exploitation in Splunk
Detects exploitation attempts targeting CVE-2026-35616, an improper access control vulnerability (CWE-284) in Fortinet FortiClient Enterprise Management Server (EMS). This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may leverage this flaw to bypass access controls on the EMS server, potentially enabling unauthorized configuration changes, endpoint agent manipulation, or lateral movement through managed endpoints.
MITRE ATT&CK
SPL Detection Query
index=* (sourcetype="fortinet:forticlient" OR sourcetype="fortinet:ems" OR sourcetype="syslog" host="*ems*")
| eval normalized_msg=lower(coalesce(message, _raw))
| where match(normalized_msg, "(access.denied|authorization.fail|privilege.escal|unauthorized|bypass|improper.access|access.control)")
OR (match(normalized_msg, "(forticlient|fcems|ems)") AND match(normalized_msg, "(error|fail|denied|reject)"))
| eval severity_indicator=case(
match(normalized_msg, "privilege.escal"), "CRITICAL",
match(normalized_msg, "bypass|unauthorized"), "HIGH",
match(normalized_msg, "access.denied|authorization.fail"), "MEDIUM",
true(), "LOW"
)
| stats count AS event_count, earliest(_time) AS first_seen, latest(_time) AS last_seen, values(src_ip) AS source_ips, values(dest_ip) AS dest_ips, values(severity_indicator) AS severity_indicators BY host, user, normalized_msg
| where event_count > 1
| sort - event_countSearches Fortinet FortiClient and EMS sourcetypes for access control failure patterns indicative of CVE-2026-35616 exploitation. Aggregates by host and user to surface repeated or escalating access violations. Severity indicator field aids triage prioritisation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- EMS policy synchronisation events that generate transient access failures during update windows
- Legitimate admin role changes on the EMS server triggering access re-evaluation log entries
- FortiClient agent reconnection storms after network outages producing burst denial events
- Security scanner or vulnerability assessment tools probing EMS API endpoints
Other platforms for CVE-2026-35616
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1FortiClient EMS Unauthenticated API Endpoint Probe
Expected signal: Web server access log entries on EMS showing HTTP requests to API paths from an unknown source IP, with response codes logged. Network flow records show connections from test host to EMS port 8013.
- Test 2FortiClient EMS Privilege Escalation via Access Control Bypass (Simulated)
Expected signal: EMS audit log entries recording the low-privilege user's access attempts to admin-tier endpoints. Windows Security Event Log 4648 if token acquisition involved explicit credential use.
- Test 3FortiClient EMS Management Port Reconnaissance from External Network Segment
Expected signal: Network IDS/IPS alerts for port scan activity targeting EMS management ports. Firewall deny logs if EMS ports are restricted. NetFlow records showing probe connections from test segment to EMS IP.
- Test 4FortiClient Agent Mass Policy Modification via Compromised EMS
Expected signal: EMS audit log entry recording policy creation event with the admin token's associated username. API access log entry for POST to /api/v1/policies. Managed endpoint logs showing receipt of new policy push if EMS propagates it.
Unlock Pro Content
Get the full detection package for CVE-2026-35616 including response playbook, investigation guide, and atomic red team tests.