Ramblings of a CyberSecurity Nerd

Cyber Pulse: Technical Threat Deep Dives on Active CVEs β€” Fortinet EMS RCE Under Active Exploitation

Intro

CVE-2026-35616 is actively being exploited in the wild. Fortinet has issued an emergency hotfix for FortiClient EMS after confirming unauthenticated remote code execution via crafted requests. This is a live-fire situation on exposed EMS servers.

πŸ“Œ CVE Context

– Products & versions affected: FortiClient EMS 7.4.5 and 7.4.6
– Disclosure timeline: Published April 3, 2026; active exploitation confirmed April 4, 2026
– Attack vector: Remote (network)
– Privileges required: None
– User interaction: None
– Impact: Unauthenticated attackers can execute arbitrary commands via crafted requests (CWE-284 Improper Access Control)

CVSS Metric Breakdown (v4.0) - CVE-2026-35616 (FortiClient EMS unauthenticated RCE)
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality Impact (VC): High
Integrity Impact (VI): High
Availability Impact (VA): High
Scope Changed (SC): No
Safety Impact (SI): None
Automation (SA): High
Exploit Maturity: Active
Base Score: 9.8 (Critical)

– Confirmed exploitation in the wild
– Emergency hotfix released by Fortinet
– Added to VulnCheck KEV catalog (CISA KEV pending)

🎯 EPSS Scoring

EPSS Probability: 0.00034
Percentile: 0.10127

πŸ”¬ Exploitation Detail

– Improper access control allows unauthenticated API access
– Crafted requests bypass authentication checks entirely
– Backend EMS service executes attacker-controlled commands

POST /api/ HTTP/1.1
Host: target
action=exec&cmd=whoami

πŸ“Ž Attacker Behavior Snapshot

– Attacker scans for exposed EMS servers
– Sends crafted unauthenticated request
– EMS processes request as trusted input
– Command execution occurs under service context
– Output confirmed via response or system behavior

🧩 Why This Matters

This vulnerability targets a centralized endpoint management system. Compromise here gives attackers direct leverage over managed endpoints and security posture.

Exploitation results in:

  • Full command execution on EMS servers
  • Control over endpoint management workflows
  • Rapid lateral movement into managed devices

🧩 MITRE ATT&CK Mapping

Initial Access: T1190 – Exploit Public-Facing Application
Execution: T1059.003 – Command Shell
Persistence: T1505.003 – Server Software Component

πŸ§ͺ Detection Rules

YARA Rule (Memory/Doc/PCAP)

rule Fortinet_EMS_CVE_2026_35616
{
    meta:
        description = "Detects command execution patterns from EMS"
    strings:
        $cmd1 = "cmd.exe /c"
        $cmd2 = "powershell.exe"
    condition:
        any of them
}

Suricata or Zeek (Network)

alert http any any -> any any (msg:"Fortinet EMS RCE Attempt CVE-2026-35616"; content:"/api/"; http_uri; sid:3561601; rev:1;)

Sigma Rule (SIEM/EDR)

title: Fortinet EMS Unexpected Command Execution
logsource:
  category: process_creation
detection:
  selection:
    ParentImage|contains: "FortiClientEMS"
    CommandLine|contains:
      - "cmd.exe"
      - "powershell"
  condition: selection
level: critical

πŸ”Ž Detection Strategies

βœ… Network Detection:

  • Monitor EMS API endpoints for unauthenticated requests
  • Detect abnormal POST requests to EMS services
  • Look for command strings in HTTP payloads

βœ… Endpoint Detection:

  • FortiClientEMS spawning cmd.exe or powershell.exe
  • Unexpected execution chains from EMS services
  • New processes without associated user sessions

⚑ Splunk Query


index=endpoint_logs sourcetype=sysmon
ParentImage="*FortiClientEMS*"
(CommandLine="*cmd.exe*" OR CommandLine="*powershell*")
| stats count by host, user, process

πŸ› οΈ SOC Detection Strategy

– Treat any EMS-originated command execution as critical
– Correlate network + process telemetry immediately
– Escalate without delay β€” no β€œwait and see” on this one

πŸ› οΈ Tools & Techniques

Sysmon | Process lineage from EMS services
Velociraptor | Hunt for execution artifacts
Zeek | HTTP anomaly detection
Sigma/YARA | Detect command execution patterns

πŸ›‘οΈ Mitigation & Response

– Apply Fortinet emergency hotfix immediately
– Restrict EMS access to internal networks only
– Block external exposure at firewall/WAF level
– Audit EMS servers for signs of compromise
– Monitor for lateral movement into endpoints

πŸ“‹ Incident Response Snippets

– Identify EMS-originated process execution
– Review API logs for unauthenticated access
– Hunt for lateral movement from EMS host
– Validate integrity of managed endpoints

πŸ“š Suggested Reading & External References

– Fortinet Advisory (FG-IR-26-099)
– VulnCheck KEV catalog entry
– Research notes from runZero analysis

πŸ—ΎοΈ Final Thoughts

Unauthenticated remote access to a management plane is immediate compromise.

Patch now, restrict access, and assume exposure until proven otherwise.

Published: April 4, 2026

Leave a comment