FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access by Lucie Cardiet

**CVE-2026-35616 — FortiClient EMS control-plane compromise**: The report explains a critical zero-day in FortiClient EMS that permits unauthenticated API access leading to remote code execution; because EMS centrally manages endpoints, successful exploitation grants attackers broad, trusted reach into environments. The write-up stresses that activity from a compromised EMS blends into normal administrative telemetry across identity, network, and endpoint domains, making early detection and containment especially challenging and recommending behavior-continuity detection across domains.