Fortinet has issued emergency out-of-band patches for a critical security vulnerability in FortiClient Enterprise Management Server (EMS) that has been confirmed as actively exploited in the wild. The vulnerability, tracked as CVE-2026-35616 (CVSS score: 9.1), is a pre-authentication API access bypass that enables privilege escalation, giving unauthenticated attackers administrative control over managed endpoints.
What Is FortiClient EMS?
FortiClient EMS is Fortinet's centralized endpoint management solution used by enterprises to deploy, manage, and enforce security policies on FortiClient endpoint protection agents installed across workstations, laptops, and servers. It is widely deployed in enterprise and government environments as part of the Fortinet Security Fabric.
Because FortiClient EMS has administrative authority over connected endpoints, a compromise of the EMS server can cascade into control of every managed device in an organization.
Vulnerability Details: CVE-2026-35616
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-35616 |
| CVSS Score | 9.1 (Critical) |
| Type | Pre-Authentication API Access Bypass |
| Impact | Privilege Escalation to Administrator |
| Authentication Required | None |
| Actively Exploited | Yes — confirmed by Fortinet |
| Patch Available | Yes — out-of-band release |
The flaw is described as a pre-authentication API access bypass leading to privilege escalation. Specifically, the vulnerability allows an unauthenticated attacker to access privileged API endpoints on the EMS server without valid credentials. By exploiting this access, the attacker can escalate their privileges to administrator level within the EMS platform.
Once administrative access is achieved, the attacker can:
- Push malicious endpoint policies to all managed FortiClient agents
- Extract endpoint inventory and configuration data including device names, usernames, and network details
- Disable security features on managed endpoints (antivirus, firewall rules, web filtering)
- Deploy payloads or commands through EMS-managed agent channels
Active Exploitation Confirmed
Fortinet's advisory explicitly acknowledges that the vulnerability has been exploited in the wild, prompting the release of an out-of-band patch outside of the regular quarterly patching cycle. This is consistent with Fortinet's recent pattern of responding to zero-day or near-zero-day exploitation of its network security products.
Organizations with FortiClient EMS deployments should treat CVE-2026-35616 as an active threat requiring immediate response.
Affected Versions
Organizations should consult Fortinet's official security advisory for the complete list of affected FortiClient EMS versions and the specific patched releases. Out-of-band patches have been made available for supported versions.
Remediation
Immediate Actions
1. Apply the out-of-band patch immediately
Upgrade FortiClient EMS to the patched version provided by Fortinet. Given active exploitation, delay is not acceptable for internet-accessible or network-reachable deployments.
2. Restrict network access to EMS
If patching cannot be applied immediately, restrict access to the FortiClient EMS management interface:
- Block inbound connections to the EMS API ports from untrusted networks at the firewall
- Ensure EMS is not directly reachable from the internet
- Apply allowlist-based access control to limit EMS access to known administrator IP ranges
3. Review EMS audit logs for suspicious activity
# FortiClient EMS logs are typically in:
# Windows: C:\Program Files\Fortinet\FortiClientEMS\logs\
# Look for API calls from unexpected IP addresses or at unusual hours
# and unauthorized privilege changes in the audit trail4. Audit managed endpoint policies
After patching, review all FortiClient EMS policies for unauthorized changes. Look for:
- New or modified endpoint profiles pushed recently
- Changes to security feature settings (firewall, AV, VPN configurations)
- Unexpected endpoints added to or removed from management groups
5. Rotate credentials
If exploitation is suspected, rotate all administrative credentials associated with the FortiClient EMS deployment and any integrated directory services (Active Directory, LDAP).
Fortinet's Vulnerability Track Record
This disclosure continues a trend of critical vulnerabilities affecting Fortinet products that attract rapid adversarial exploitation. Previous high-impact Fortinet CVEs exploited in attacks include FortiOS SSL-VPN flaws and FortiClient EMS SQL injection vulnerabilities. Nation-state actors and ransomware operators have historically targeted Fortinet products for initial access to enterprise environments.
Recommendations for Security Teams
- Patch immediately — do not wait for a scheduled maintenance window given active exploitation
- Check exposure — verify whether your EMS instance is reachable from the internet or untrusted segments
- Review logs — investigate for evidence of pre-patch exploitation including unusual API access patterns
- Brief incident response — if exploitation is confirmed, treat the incident as a potential full endpoint compromise across all EMS-managed devices
Source: The Hacker News