Cyber Threat Brief — April 6 2026
⚠️ This report is AI-generated. Always validate findings.
1. FortiClient EMS Pre-Auth API Bypass Exploited as Zero-Day — CVE-2026-35616
TL;DR: CVSS 9.1 improper access control in FortiClient EMS 7.4.5–7.4.6 lets unauthenticated attackers bypass API auth and execute code. Exploited ITW since March 31; Fortinet shipped an emergency weekend hotfix April 5.
What’s New:
- Fortinet confirmed active exploitation and released out-of-band hotfixes for FortiClient EMS 7.4.5 and 7.4.6 on April 5 (weekend emergency release); full fix expected in 7.4.7
- watchTowr honeypots recorded first exploitation attempts March 31, 2026; Defused Cyber (Simo Kohonen) independently confirmed zero-day activity
- Pre-auth API access bypass (CWE-284) allows unauthenticated attackers to sidestep API authentication/authorization and execute arbitrary code or commands via crafted HTTP requests
- ~2,000+ FortiClient EMS instances exposed to the internet per Shodan/Censys scans
- No public PoC or Fortinet-published IOCs as of April 6; exploitation is opportunistic and broad
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Unauthenticated API requests to FortiClient EMS management port (443/8013) | Network | T1190 | Firewall/WAF logs, FortiClient EMS access logs | Block — restrict EMS management to trusted IPs only |
| Unexpected admin account creation or policy changes in EMS | Behavioral | T1136.001 | FortiClient EMS audit logs (C:\Program Files\Fortinet\FortiClientEMS\logs\) | Hunt — review all account/policy changes since March 31 |
| Crafted HTTP requests bypassing API auth | Exploit artifact | T1190 | Web server access logs, IDS/IPS | Alert — monitor for anomalous API calls to EMS endpoints |
| Post-exploitation: endpoint policy manipulation via EMS | Behavioral | T1562.001 | FortiClient EMS logs, endpoint telemetry | Hunt — audit endpoint security policy changes for tampering |
| FortiClient EMS service (FCTEMSSrv.exe) spawning unexpected child processes | Process | T1059 | Sysmon EID 1, EDR | Alert — baseline normal EMS process tree |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific | Need: FortiClient EMS API anomaly detection, unauthenticated access to management endpoints |
| Elastic | None specific | Need: FortiClient EMS log parsing, suspicious admin creation post-exploitation |
| Sigma | None specific | Need: FortiClient EMS service child process anomaly, API auth bypass indicators |
Sources: BleepingComputer · The Hacker News · Help Net Security · SecurityOnline · runZero
Status Updates
- CVE-2026-5281 (Chrome Dawn): Companion CVE-2026-5289 (CVSS 9.6) disclosed in same update — Navigation use-after-free enabling sandbox escape post-renderer compromise. Same patch (146.0.7680.178). CISA KEV deadline April 15. Verify fleet-wide Chrome update. Original brief.
- CVE-2026-4681 (PTC Windchill): CISA ICS advisory ICSA-26-085-03 published; still no patch available. German police physically notifying affected orgs. Imminent exploitation threat persists. Original brief.
- CVE-2026-3055 (Citrix NetScaler): Active exploitation ongoing via SAMLRequest and /wsfed/passive paths; Metasploit module available. Federal deadline passed April 2. Original brief.
- CVE-2025-53521 (F5 BIG-IP APM): UNC5221 BRICKSTORM exploitation ongoing; federal deadline passed March 30. No new IOCs. Original brief.
- CVE-2026-20131 (Cisco FMC): Interlock ransomware exploitation ongoing; no new artifacts. Original brief.