This Week's 4 Must-Patch Threats: FortiClient EMS Zero-Day to Rockstar's 78M Breach

CVE-2026-35616 is a CWE-284 (Improper Access Control) vulnerability in Fortinet FortiClient EMS versions 7.4.5 and 7.4.6. The flaw allows an unauthenticated attacker to send specially crafted API requests that the EMS server processes as valid authenticated commands — bypassing the authentication layer entirely and enabling arbitrary code execution or command execution with the privileges of the running EMS service account.

FortiClient EMS is a Windows-based server application that serves as the central management plane for enterprise FortiClient endpoint deployments. It receives configuration instructions from administrators, pushes security profiles and compliance policies to FortiClient agents on managed endpoints, evaluates device posture for ZTNA and VPN access decisions, and manages the full lifecycle of endpoint protection settings across the fleet. In most enterprise deployments the EMS server runs with privileged Windows service account credentials and maintains persistent HTTPS connectivity to every managed endpoint.

An attacker who achieves code execution on the EMS server does not merely compromise one machine — they inherit administrative authority over the endpoint security configuration of every device the EMS instance manages. This means the ability to disable quarantine policies, alter detection sensitivity settings, modify application control rules permitting previously-blocked tools, and push modified FortiClient agent configurations to endpoints across the organisation. Unlike the authentication bypass covered in yesterday's analysis of [CVE-2026-33032 (nginx-ui MCPwn)](/blog/nginx-ui-cve-2026-33032-mcpwn-authentication-bypass) — where a missing middleware registration on a single endpoint was the root cause — CVE-2026-35616 stems from improper access control logic within the API's request processing path, requiring targeted vendor remediation rather than a single-line configuration fix.

The most significant threat-intelligence signal from CVE-2026-35616 is not the vulnerability itself — it is the exploitation timeline. Active attacks against FortiClient EMS deployments were first recorded on March 31, 2026, when watchTowr Labs registered hostile probing against its honeypot infrastructure. Fortinet did not publish its advisory (PSIRT FG-IR-26-099) until April 6. That six-day gap means attackers were operating against production targets while no patch existed, no public advisory existed, and defenders had no reason to suspect the attack vector.

Defused Cyber's Simo Kohonen confirmed on April 3 via a public post that zero-day exploitation had been observed earlier that week — prior to the watchTowr honeypot timestamp — suggesting the exploitation window may trace back further into the period immediately following responsible disclosure to Fortinet. CISA's April 6 simultaneous advisory and KEV addition with a three-day federal remediation deadline (April 9) reflects the confirmed exploitation status at the moment of disclosure: CISA does not add to KEV simultaneously with a vendor advisory without confirmed threat intelligence.

The Singapore CSA and NHS England Digital both issued national advisories this week, indicating the exploitation campaign has reached incident-confirmed cases in critical sectors across multiple jurisdictions. For organisations not subject to BOD 22-01, the federal deadline is a useful calibration: the US government judged eleven days was already too long to leave this unpatched. Non-federal organisations running FortiClient EMS 7.4.5 or 7.4.6 without the hotfix should treat remediation as an active incident response priority, not a scheduled maintenance item.

FortiClient EMS is deployed by organisations that have standardised on FortiClient for enterprise endpoint protection — predominantly medium-to-large enterprises operating Fortinet's Security Fabric architecture. It is particularly prevalent in financial services, government, healthcare, critical infrastructure, and manufacturing, where Fortinet holds significant endpoint market share due to its integration with FortiGate next-generation firewalls and ZTNA access control.

NHS England Digital issued Cyber Alert CC-4766 explicitly naming CVE-2026-35616 and confirming active exploitation this week. The Cyber Security Agency of Singapore issued Alert AL-2026-031 with the same exploitation confirmation. Simultaneous national advisories from two government cybersecurity bodies — covering jurisdictions with significant critical infrastructure Fortinet deployments — indicate the campaign has produced confirmed incident cases beyond honeypot telemetry.

The vulnerability scope is version-specific: FortiClient EMS 7.4.5 and 7.4.6 are the affected releases. These represent the current-generation branch that organisations would have deployed during Q1 2026 standard upgrade cadence. Organisations on FortiClient EMS 7.2.x or earlier are reportedly not affected by CVE-2026-35616 specifically. However, given the rate of Fortinet vulnerability exploitation in recent quarters — CVE-2026-21643 was also added to CISA's KEV catalog in April 2026 alongside CVE-2026-35616 — a full Fortinet CVE exposure audit across all deployed versions remains advisable regardless of branch.

On April 14, 2026, Rockstar Games confirmed a breach after the ShinyHunters extortion group began publicly leaking internal data. The breach originated not in Rockstar's core infrastructure but through Anodot — a cloud cost-monitoring and anomaly detection service with authenticated integration access to Rockstar's Snowflake data warehouse environment.

ShinyHunters exploited a security flaw in Anodot's platform to extract service account authentication tokens. Those tokens were legitimate credentials Anodot used to perform its cost-monitoring functions — they granted real-time read access to Rockstar's connected Snowflake instance as a normal operational requirement of the integration. The attackers leveraged the stolen tokens to access Rockstar's Snowflake environment silently, exfiltrating data without triggering authentication alerts on Rockstar's side, since the access appeared to originate from a legitimate Anodot service account.

ShinyHunters demanded a ransom before going public. Rockstar declined. The group began publishing 78.6 million records on April 14. Independent analysis of the leaked dataset confirmed it consists primarily of internal analytics and operational metrics — not GTA 6 source code, player payment information, or personally identifiable information in sensitive categories. Rockstar's official statement confirmed the scope as limited to analytics data from Anodot-connected infrastructure.

The attack vector — compromising a third-party SaaS provider's credentials to silently pivot into a victim's cloud data warehouse — mirrors the supply chain exploitation pattern detailed in our post on [North Korea's 1,700 malicious packages targeting developer pipelines](/blog/north-korea-supply-chain-1700-packages). The entry point is not your infrastructure; it is the third-party service you trust with authenticated access to it.

Three additional developments from the week of April 14 warrant operational attention from security teams.

Operation PowerOFF concluded with Europol and law enforcement agencies across multiple countries seizing 53 domains belonging to commercial DDoS-for-hire platforms and arresting four individuals. The seized services collectively served over 75,000 registered users — providing on-demand volumetric denial-of-service capabilities targeting gaming platforms, financial institutions, and public services. The operation follows the 2024 takedown of RedLine and META infostealer infrastructure in Operation Magnus and reflects continued law enforcement escalation against crime-as-a-service business models that lower the technical barrier to cybercrime for non-specialist actors.

UAC-0247 is a newly disclosed threat cluster attributed by Ukraine's CERT-UA following campaigns between March and April 2026 targeting Ukrainian government bodies and municipal healthcare institutions — specifically clinics and emergency hospitals. The group deployed credential-theft malware designed to extract stored passwords from Chromium-based browsers and WhatsApp message histories from compromised endpoints. The deliberate targeting of emergency healthcare infrastructure during a conflict raises operational severity beyond data theft to potential disruption of medical services.

CISA flagged the Windows Task Host as harbouring an actively exploited privilege escalation vulnerability this week, adding it to the KEV catalog. This advisory coincides with the ongoing [April Patch Tuesday](/blog/patch-tuesday-april-2026) deployment cycle — organisations with outstanding Patch Tuesday items should accelerate deployment to address all confirmed exploitation cases in a single maintenance window this weekend.

Fortinet has not published formal indicator-of-compromise packages for CVE-2026-35616 as of April 17, 2026. Detection relies on behavioral monitoring, log analysis, and anomaly detection against the FortiClient EMS server and its connected endpoint fleet.

On the EMS server, review Windows Security Event logs and FortiClient EMS application logs for unexpected API activity since March 31. Specifically: API calls from IP addresses not corresponding to known FortiClient agent subnets or authorised administrator workstations; privileged operations executed without a corresponding authenticated session initiation; any new administrator account creation or modification of existing account privileges; and Windows service start/stop events outside of scheduled maintenance windows.

At the network layer, monitor outbound connections from the EMS server process. FortiClient EMS has a well-defined set of legitimate outbound destinations — FortiGuard update infrastructure, FortiClient agent subnets, and Fortinet licensing servers. Any outbound connection to external IPs outside these expected destinations, particularly on non-standard ports or exhibiting beacon-like timing patterns, warrants immediate investigation as a potential post-exploitation C2 indicator.

Downstream detection signal: if attackers modified FortiClient agent policy profiles after compromising the EMS server, managed endpoints will exhibit configuration drift from baseline — altered scan schedules, changed quarantine rules, modified application control policies. SIEM alerts on FortiClient agent configuration changes that do not correspond to known administrator actions provide a passive exploitation detection layer that operates even after the EMS server has been patched.

This week's priority action list covers three distinct vectors: the actively exploited pre-auth RCE in FortiClient EMS, the third-party OAuth token exposure demonstrated by the Rockstar Games breach, and any outstanding April Patch Tuesday items that have not yet been deployed.

The FortiClient EMS hotfix is the single highest-priority action. CISA's federal deadline passed on April 9. Non-federal organisations have now had eleven days since the hotfix was published with no downtime required. An unpatched FortiClient EMS 7.4.5 or 7.4.6 server is a CISA-confirmed, actively-exploited, pre-authentication code execution vulnerability running on the system that manages your endpoint security infrastructure. Treat it as an active incident response priority, not a routine patch cycle item.

The Rockstar Games breach should prompt every organisation with third-party SaaS integrations connected to cloud data warehouses to conduct an immediate token permission audit. Identify which external services hold active OAuth tokens or API keys with read or write access to Snowflake, Databricks, or equivalent platforms. Verify expiry dates, rotation schedules, and revoke any access that is not actively required.

CVE-2026-35616 is the patch this weekend. FortiClient EMS pre-auth RCE at CVSS 9.1, confirmed exploited since March 31, with national advisories from NHS England and Singapore CSA — and the permanent fix is still pending in 7.4.7. The hotfix is available today, applies without downtime, and protects the server that manages your entire endpoint security stack. The Rockstar Games breach adds a parallel action item: every organisation with third-party SaaS access to cloud data warehouses should audit external token permissions before Monday. One compromised Anodot credential was enough to reach 78.6 million Rockstar records. Your equivalent attack surface is the third-party permissions you have not reviewed. Apply the Fortinet hotfix. Audit third-party token access. Verify your April Patch Tuesday deployment is complete.