CVE-2026-35616 is being discussed as a critical zero-day under active exploitation, but the vulnerability itself is not the part that deserves the most attention.
What matters is where the exploit lands and what kind of position it gives an attacker once it succeeds.
FortiClient EMS is not just another server. It coordinates endpoints, distributes configuration, and carries a level of operational trust that most infrastructure never has to justify. When that system is exposed, the attacker does not simply gain access to a host. They inherit reach.
In an earlier article on zero-day attacks targeting network edge devices, we explained how attackers break the edge, establish a foothold, and then move inward. This new exploit shows what happens when the starting point already sits past that boundary.
From edge entry to control-plane access
The earlier model assumed a sequence: gain access at the edge, then expand.
Here, the EMS server often is reachable enough to be targeted, yet trusted enough that its behavior is rarely questioned. The vulnerability allows unauthenticated interaction with its API that leads to code execution, which means there is no need for credentials, no dependency on user behavior, and no reliance on stolen identity at the start of the intrusion.
That removes an entire stage from the attack path and pushes detection further downstream.
There is no login anomaly, no suspicious account, and no obvious user behavior to anchor the investigation. The attacker arrives directly on a system that already has authority over endpoints and visibility into the environment.
Same behavior, different context
The behavior is not new. The context is what hides it.
Attackers still map the environment, identify credentials, and move toward high-value systems. The difference is how quickly they can do it and how normal it looks while they try.
From an EMS foothold, activity blends in. Pulling endpoint data looks like inventory, reading configuration looks administrative, and internal connections resemble routine management rather than lateral movement.
Why this is hard to detect
The signals are there but they just don’t look connected.
The exploit begins as API traffic, often indistinguishable from routine requests or background noise. By the time it leads to code execution, the attacker is already operating on a trusted system.
From there, small deviations are enough: connections to new systems, authentication that is valid but unusual, activity outside expected timing. Each signal can be explained on its own.
Detection breaks down because these signals are split across systems. API activity stays in application logs, process execution on the host, network connections in separate tools, and authentication in identity monitoring. No single signal is strong enough.
The attacker does not need stealth. They rely on the fact that no one is looking at the full sequence.
What this looks like in telemetry
This pattern unfolds across domains:
- API activity with no clear user context
- changes in process or service behavior on the EMS host
- outbound connections to systems it rarely contacts
- authentication tied to services rather than users
- endpoint interactions outside normal scope
Individually, these are low-signal events. Together, they form a pattern where the EMS server becomes the origin across identity, network, and endpoint activity.
What this means in practice
If not identified early, containment becomes difficult because trust is involved.
Within minutes, the attacker can stabilize their access and build an understanding of the environment. From there, they can move toward systems that matter without triggering immediate concern. By the time the activity becomes clearly malicious, the attacker is already operating with context and access that are hard to unwind.
The response is no longer limited to isolating a single host. It requires examining what that system has accessed, what it may have modified, and which credentials or relationships may have been exposed.
The edge is no longer where detection begins. Initial access may produce little to no usable signal, and the first reliable indicators often appear only after the attacker is operating from a trusted system.
That shifts the problem. Detection becomes about recognizing when systems with defined roles behave outside those roles, and doing so before trust propagates the attack.
This is where behavior continuity matters. When the same system becomes the origin of activity across identity, network, and endpoint domains, weak signals form a coherent pattern.
The Vectra AI Platform focuses on this problem by linking behaviors across identity and network activity, so that low-signal events form a coherent picture early enough to investigate and contain.
If you want to understand how exposed your environment is to this kind of attack path, an Offensive Security Assessment can surface where control-plane systems could be abused and how quickly that behavior would be detected. In this class of attack, that visibility is what determines whether the EMS server is just another alert or the moment the incident is understood.