New FortiClient EMS Flaw Exploited in Attacks, Emergency Patch Released

Fortinet has issued an emergency out-of-band security update for a critical flaw in FortiClient Enterprise Management Server (EMS) that threat actors are actively exploiting in the wild. The vulnerability — CVE-2026-35616 (CVSS 9.1) — is a pre-authentication API access bypass that enables unauthenticated attackers to escalate privileges to administrator level, granting full control over managed endpoints.

Vulnerability Details: CVE-2026-35616

The flaw allows an unauthenticated attacker to reach privileged API endpoints on the EMS server without valid credentials, then escalate to full administrator access within the management platform.

Why FortiClient EMS Is a High-Value Target

FortiClient EMS is Fortinet's centralized solution for deploying, managing, and enforcing security policies on FortiClient endpoint agents across enterprise workstations, laptops, and servers. Because it holds administrative authority over all connected endpoints, a single EMS compromise can cascade into control of every managed device in the organization — making it an especially attractive target for ransomware operators and nation-state actors seeking broad initial access.

With administrative access via CVE-2026-35616, an attacker could:

• Push malicious endpoint policies to all managed FortiClient agents
• Disable security controls — antivirus, firewall rules, and web filtering — on managed devices
• Extract endpoint inventory including device names, usernames, and network topology
• Deploy payloads or commands through EMS-managed agent channels across the entire fleet

Emergency Weekend Patch

Fortinet released this update outside its regular quarterly security cycle, signaling the severity and urgency of the active exploitation. The weekend release follows a now-familiar pattern for Fortinet: critical network security product vulnerabilities that attract rapid adversarial activity trigger out-of-band fixes within days of initial exploitation reports.

Organizations should not wait for a scheduled maintenance window. Active exploitation means delay increases the window of risk substantially.

Remediation Steps

1. Apply the emergency patch immediately

Upgrade FortiClient EMS to the patched version identified in Fortinet's official security advisory. Check FortiGuard for version-specific remediation guidance.

2. Restrict EMS network access

While patching is prepared, isolate the EMS server:

• Block inbound connections to the EMS API from untrusted networks at the perimeter firewall
• Confirm EMS is not directly reachable from the internet
• Apply IP allowlisting to restrict access to known administrator IP ranges only

3. Review EMS audit logs for suspicious activity

Look for API calls from unexpected IP addresses, privilege escalation events, and unauthorized changes to endpoint policies — particularly in the period before the patch was applied.

4. Audit managed endpoint policies

After patching, review all FortiClient EMS policies for unauthorized changes:

• New or modified endpoint profiles created recently
• Changes to security feature settings (firewall, AV, VPN)
• Unexpected additions or removals from management groups

5. Rotate credentials

If exploitation is suspected, rotate all administrative credentials for the FortiClient EMS deployment and any integrated directory services (Active Directory, LDAP).

Fortinet's Vulnerability Track Record

CVE-2026-35616 continues a well-documented trend of critical Fortinet product vulnerabilities attracting rapid adversarial exploitation. Prior high-impact Fortinet flaws — including FortiOS SSL-VPN zero-days and the 2025 FortiClient EMS SQL injection vulnerabilities — were exploited at scale by ransomware groups and APT actors for initial network access. Security teams managing Fortinet infrastructure should treat any new Fortinet critical advisory as requiring emergency response timelines, not standard patch cycle cadence.

Source: BleepingComputer