[{"data":1,"prerenderedAt":120},["ShallowReactive",2],{"article-slug-fortinet-patches-actively-exploited-forticlient-ems-zero-day-cve-2026-35616":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":29,"sources":35,"events":51,"mitre_techniques":61,"tags":70,"extract_datetime":74,"article_type":75,"impact_scope":76,"keywords":87,"pub_date":74,"reading_time_minutes":33,"createdAt":88,"updatedAt":89,"updates":90},"37dbe14d-4359-4099-b295-61b25c00dc13","fortinet-patches-actively-exploited-forticlient-ems-zero-day-cve-2026-35616","Fortinet Scrambles to Patch Actively Exploited FortiClient EMS Zero-Day (CVE-2026-35616)","Fortinet Releases Emergency Hotfix for Critical RCE Zero-Day in FortiClient EMS, CISA Adds to KEV Catalog","Fortinet has released an emergency hotfix for a critical zero-day vulnerability, CVE-2026-35616, affecting its FortiClient Endpoint Management Server (EMS). The flaw, rated 9.1 on the CVSS scale, is an improper access control issue that allows an unauthenticated remote attacker to achieve remote code execution. Fortinet confirmed the vulnerability is being actively exploited in the wild, prompting the U.S. CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog and mandate a swift patching deadline for federal agencies.","## Executive Summary\n\n**[Fortinet](https://www.fortinet.com/)** has issued an urgent security advisory for a critical, actively exploited zero-day vulnerability in its FortiClient Endpoint Management Server (EMS). The vulnerability, tracked as **[CVE-2026-35616](https://www.cve.org/CVERecord?id=CVE-2026-35616)**, has a CVSS score of 9.1 (Critical) and allows an unauthenticated, remote attacker to bypass API authentication and execute arbitrary code. Due to confirmed in-the-wild exploitation, the **[U.S. Cybersecurity and Infrastructure Security Agency (CISA)](https://www.cisa.gov)** has added **CVE-2026-35616** to its Known Exploited Vulnerabilities (KEV) catalog, requiring immediate patching by federal agencies. All organizations using the affected FortiClient EMS versions are urged to apply the provided hotfixes without delay to prevent system compromise.\n\n---\n\n## Vulnerability Details\n\n*   **CVE ID:** CVE-2026-35616\n*   **CVSS Score:** 9.1 (Critical)\n*   **Vulnerability Type:** Improper Access Control (CWE-284)\n*   **Description:** The vulnerability is a pre-authentication API access bypass. An unauthenticated attacker can send a specially crafted request to the FortiClient EMS server to bypass both authentication and authorization for API endpoints. This allows the attacker to execute unauthorized commands or code on the server with the privileges of the EMS service, leading to a full system compromise.\n\n## Affected Systems\n\nThe vulnerability impacts the following versions of FortiClient EMS:\n\n*   **FortiClient EMS version 7.4.5**\n*   **FortiClient EMS version 7.4.6**\n\n> Note: The 7.2 branch of FortiClient EMS is reportedly not affected by this vulnerability.\n\n## Exploitation Status\n\nFortinet has confirmed that it has observed active exploitation of **CVE-2026-35616** in the wild. Following this confirmation, **CISA** added the vulnerability to its KEV catalog on April 6, 2026, with a remediation deadline of April 9, 2026, for Federal Civilian Executive Branch (FCEB) agencies. The Cyber Security Agency of Singapore (CSA) has also issued a corresponding alert, indicating a global threat.\n\n## Impact Assessment\n\nA successful exploit of **CVE-2026-35616** has severe consequences. The FortiClient EMS is a central management server for an organization's endpoints. Compromising the EMS server could allow an attacker to:\n\n*   Gain complete control over the EMS server itself.\n*   Push malicious updates or configurations to all connected FortiClient endpoints.\n*   Disable security controls across the entire managed fleet of devices.\n*   Use the compromised EMS as a pivot point to move laterally within the corporate network.\n\nThis represents a catastrophic failure of the endpoint security management infrastructure.\n\n## Cyber Observables for Detection\n\nSecurity teams should hunt for signs of exploitation attempts in their logs:\n\n*   **Log Source:** Web server logs for the FortiClient EMS service (e.g., IIS, Nginx).\n*   **Observable:** Monitor for HTTP requests to FortiClient EMS API endpoints that lack proper authentication tokens or originate from untrusted, external IP addresses.\n*   **Observable:** Look for anomalous process execution originating from the FortiClient EMS process, such as `powershell.exe`, `cmd.exe`, or `wscript.exe`.\n*   **Observable:** Check for newly created files in system directories or unexpected outbound network connections from the EMS server.\n\n## Detection Methods\n\n*   **Vulnerability Scanning:** Use vulnerability scanners with updated plugins to identify affected FortiClient EMS versions in your environment.\n*   **Log Analysis:** Create SIEM rules to alert on unauthenticated access attempts to sensitive API endpoints on the EMS server. Correlate web server access logs with endpoint process logs to detect post-exploitation activity.\n\n### D3FEND Techniques\n\n*   **Network Traffic Analysis ([`D3-NTA`](https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis)):** Analyze traffic to the EMS server to identify anomalous request patterns or connections from known malicious IPs.\n*   **Process Analysis ([`D3-PA`](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis)):** Monitor the EMS server for suspicious child processes or command-line executions indicative of post-exploitation activity.\n\n## Remediation Steps\n\nImmediate patching is the only effective remediation.\n\n1.  **Prioritize Patching:** Identify all internet-facing FortiClient EMS servers and patch them immediately. These are at the highest risk.\n2.  **Apply Hotfix:** Fortinet has released hotfixes for the affected versions. Customers must download and apply these patches as soon as possible.\n3.  **Upgrade:** A full fix will be included in FortiClientEMS version 7.4.7. Plan to upgrade to this version once it becomes available.\n4.  **Compensating Controls:** If patching is not immediately possible, restrict access to the FortiClient EMS management interface to a limited set of trusted IP addresses. This is a temporary measure and does not replace the need to patch.\n5.  **Hunt for Compromise:** After patching, assume compromise and hunt for indicators of malicious activity on the EMS server and connected endpoints.\n\n### D3FEND Countermeasures\n\n*   **Software Update ([`D3-SU`](https://d3fend.mitre.org/technique/d3f:SoftwareUpdate)):** This is the primary and most critical countermeasure. Applying the security update from Fortinet directly remediates the vulnerability.","⚠️ URGENT: Fortinet patches actively exploited zero-day (CVE-2026-35616) in FortiClient EMS. Critical RCE flaw (CVSS 9.1) allows unauth'd access. CISA adds to KEV. Patch immediately! 🔥 #ZeroDay #Fortinet #CyberSecurity #CVE202635616","Fortinet issues an emergency patch for CVE-2026-35616, a critical zero-day vulnerability in FortiClient EMS being actively exploited for remote code execution.",[13,14,15],"Vulnerability","Patch Management","Cyberattack","critical",[18,21,23,26],{"name":19,"type":20},"CISA","government_agency",{"name":22,"type":20},"Cyber Security Agency of Singapore (CSA)",{"name":24,"type":25},"FortiClient EMS","product",{"name":27,"type":28},"Fortinet","vendor",[30],{"id":31,"cvss_score":32,"cvss_version":33,"kev":34,"severity":16},"CVE-2026-35616",9.1,null,1,[36,40,43,47],{"url":37,"title":38,"date":33,"website":39},"https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFlJTuEioxt0JhddUwol2_t6tFAS4pQ3dO9wX4coUq4VXmtPjUFu66XiYTpCzgZW7RUcFEJL_U53z2QRBv2xlMqwvEejot_o3__O1Zs6l8owpGXSlLNdwMx0Li-WQse8R1__z8=","April 4, 2026 - Red Dot Security","vertexaisearch.cloud.google.com",{"url":41,"title":42,"date":33,"website":39},"https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHfgXGk6YBNAG8LoQV6Wqo-dpLwUxr9WGKndDhgZJC_z7HFmcrdIJi994cSkt_d8CcuNsxD6EsvutWhMFiYVwz16GPQkZXeo9UBS64aoWCfYPsXckp5h5vZ-fAevvccmDc7RrIZFgWL7j-zRSgKfhUQOoJjf_8CLcDGbUslSgY3jQMcYZ6MyrYECYJkYe0b","FortiClient EMS zero-day exploited, emergency hotfixes available (CVE-2026-35616)",{"url":44,"title":45,"date":33,"website":46},"https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHlngWJopHU9WvMVh3j4z5-nvMbrGylghpt-zDMaLLOtUm--yqXp4Hz2htYX2d2pGZxAvHPwFtDIDl8N_GIhla5g97C6D-TmKrkUKwZER3gnufWx7Iv4vgPb1Fu2u9B83HkeAiupVHLHmi5wjC0","API authentication and authorization bypass - PSIRT | FortiGuard Labs","fortiguard.com",{"url":48,"title":49,"date":33,"website":50},"https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHDu9Gegm3aLSOsJEzpKZoVTmI9aoR0moD9LGHEJ-XJSjRmcJEjKrLCiIv0Ze47Krnb_Vw-yU-PZghOJY09h5khDvAJj71WYrVUh_QChPDwh_qi9R4O20O9qvt_v3orNYjc9KuGelMsbD596yoykJ4vNzjhP6kvfYbQnJDOFaok53e19EG2aepXmA==","Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS","thehackernews.com",[52,55,58],{"datetime":53,"summary":54},"2026-04-04T00:00:00Z","Fortinet releases an emergency hotfix and advisory for CVE-2026-35616.",{"datetime":56,"summary":57},"2026-04-06T00:00:00Z","CISA adds CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog.",{"datetime":59,"summary":60},"2026-04-09T00:00:00Z","Deadline set by CISA for US federal agencies to apply the patch.",[62,66],{"id":63,"name":64,"tactic":65},"T1190","Exploit Public-Facing Application","Initial Access",{"id":67,"name":68,"tactic":69},"T1210","Exploitation of Remote Services","Lateral Movement",[19,31,27,71,72,13,73],"KEV","RCE","Zero-Day","2026-04-05","NewsArticle",{"geographic_scope":77,"industries_affected":78,"companies_affected":83,"governments_affected":84,"countries_affected":85,"other_affected":86,"people_affected_estimate":33},"global",[79,80,81,82],"Government","Technology","Healthcare","Finance",[],[],[],[],[19,31,27,71,72,13,73],"2026-04-05T15:00:00.000Z","2026-04-07T00:00:00Z",[91,106],{"datetime":89,"summary":92,"content":93,"severity_change":94,"sources":95},"CISA sets strict April 9 deadline for Fortinet EMS patch; vulnerability discovered by Defused.","The U.S. CISA officially added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog on April 6, 2026, mandating federal agencies to apply the Fortinet hotfix by April 9, 2026. The vulnerability, which allows remote code execution in FortiClient EMS versions 7.4.5 and 7.4.6, was reportedly discovered and reported by the security firm Defused. This update reinforces the critical urgency for all organizations to patch immediately due to active exploitation.","unchanged",[96,100,103],{"url":97,"title":98,"website":99,"date":89},"https://www.gbhackers.com/cisa-alerts-actively-exploited-fortinet-zero-day/","CISA Alerts Defenders to Actively Exploited Fortinet Zero-Day Vulnerability","",{"url":101,"title":102,"website":99,"date":89},"https://www.cyber-press.com/cisa-alerts-on-actively-exploited-fortinet-0-day-vulnerability/","CISA Alerts on Actively Exploited Fortinet 0-Day Vulnerability",{"url":104,"title":105,"website":99,"date":89},"https://www.arcticwolf.com/resources/blog/cve-2026-35616-fortinet-releases-hotfix-for-critical-exploited-vulnerability-in-forticlient-ems/","CVE-2026-35616: Fortinet Releases Hotfix for Critical Exploited Vulnerability in FortiClient EMS",{"datetime":56,"summary":107,"content":108,"severity_change":109,"sources":110},"CVSS score updated to 9.8, nearly 2,000 FortiClient EMS instances exposed online, and new IOCs released as exploitation attempts increase.","The CVSS score for CVE-2026-35616 has been updated from 9.1 to 9.8, reflecting a higher critical impact. Analysis reveals nearly 2,000 FortiClient EMS instances are exposed online, with initial exploitation detected around March 31, 2026. Security researchers report a significant increase in scanning and exploitation attempts. New indicators of compromise (IOCs) include specific URL patterns (/api/v1/vulnerabilities), monitoring FCTDas.exe for suspicious child processes, and scrutinizing inbound connections to EMS port 8013. Organizations are urged to apply hotfixes immediately and consider network isolation for management interfaces.","increased",[111,114,117],{"url":112,"title":113,"website":99,"date":56},"https://cyberscoop.com/fortinet-zero-day-exploited-forticlient-ems/","Fortinet customers confront actively exploited zero-day, with a full patch still pending",{"url":115,"title":116,"website":99,"date":56},"https://www.securityweek.com/fortinet-rushes-emergency-fixes-for-exploited-zero-day/","Fortinet Rushes Emergency Fixes for Exploited Zero-Day",{"url":118,"title":119,"website":99,"date":56},"https://www.rapid7.com/blog/post/2026/04/06/cve-2026-35616-forticlient-ems-api-auth-bypass-enables-command-execution/","CVE-2026-35616: FortiClient EMS API Auth Bypass Enables Command Execution",1775683826672]