Skip to content
.ca
sign in
3 minhigh

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added CVE-2026-35616, an improper access control vulnerability in Fortinet FortiClient EMS, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. All organizations are strongly urged to prioritize the timely remediation of this vulnerability to reduce their exposure to cyberattacks.

Sens:ImmediateConf:highAnalyzed:2026-04-06reports

Authors: CISA

CVE-2026-35616FortinetCISA KEVFortiClient EMSAccess Control

Source:CISA

Key Takeaways

  • CISA has added CVE-2026-35616 to the Known Exploited Vulnerabilities (KEV) Catalog.
  • The vulnerability affects Fortinet FortiClient EMS and involves improper access control.
  • There is confirmed evidence of active exploitation of this vulnerability in the wild.
  • Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate this vulnerability under BOD 22-01.

Affected Systems

  • Fortinet FortiClient EMS

Vulnerabilities (CVEs)

  • CVE-2026-35616

Attack Chain

Threat actors are actively exploiting an improper access control vulnerability (CVE-2026-35616) in Fortinet FortiClient EMS. Successful exploitation likely allows unauthorized access, configuration changes, or privilege escalation within the affected system. Specific post-exploitation activities, payloads, or threat actor details are not provided in the alert.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the alert.

Detection Engineering Assessment

EDR Visibility: Low — The alert does not provide specific post-exploitation TTPs, processes, or file indicators that EDR would detect, focusing solely on the vulnerability itself. Network Visibility: Medium — Network appliances might detect exploitation attempts against FortiClient EMS if specific IDS/IPS signatures for CVE-2026-35616 are deployed. Detection Difficulty: Hard — Without specific IOCs or exploit payloads detailed in the alert, detection relies entirely on vendor-provided patches and generic access control anomaly detection.

Required Log Sources

  • FortiClient EMS application logs
  • Network IDS/IPS logs
  • Web Application Firewall (WAF) logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for anomalous access patterns or unauthorized configuration changes in FortiClient EMS logs indicating exploitation of access control flaws.Application logsInitial AccessMedium

Control Gaps

  • Unpatched Fortinet FortiClient EMS instances exposed to untrusted networks

Key Behavioral Indicators

  • Anomalous administrative access to FortiClient EMS
  • Unexpected configuration changes within the EMS environment

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Apply the latest vendor patches or updates for Fortinet FortiClient EMS to remediate CVE-2026-35616 immediately.

Infrastructure Hardening

  • Restrict access to the FortiClient EMS management interface to trusted IP addresses and internal networks.
  • Implement strict access control and least privilege principles for all administrative interfaces.

User Protection

  • N/A

Security Awareness

  • Ensure vulnerability management teams prioritize items added to the CISA KEV catalog for expedited patching.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1068 - Exploitation for Privilege Escalation

Related