Fortinet has released emergency security updates to address a critical vulnerability in FortiClient EMS that cybercriminals have been actively leveraging in real-world attacks. The flaw, identified as CVE-2026-35616, carries a CVSS severity score of 9.1, indicating its dangerous nature and potential for widespread exploitation.
Critical FortiClient EMS Vulnerability Actively Exploited
The vulnerability stems from improper access control mechanisms within the platform, classified under CWE-284. The security weakness enables attackers to bypass authentication requirements on API endpoints, granting them unauthorized access to sensitive system functions. More critically, the flaw allows threat actors to escalate their privileges once inside the system, potentially giving them administrative-level control over affected FortiClient EMS deployments.
Authentication Bypass Enables Privilege Escalation
The out-of-band patch release underscores the urgency of the threat. Out-of-band updates—released outside normal maintenance windows—are typically reserved for severe vulnerabilities that pose immediate risk to enterprise environments. This accelerated response suggests that active exploitation attempts have already been documented in production systems worldwide.
Immediate Patching Required for Enterprise Networks
FortiClient EMS serves as a centralized endpoint management solution used by organizations to monitor, manage, and secure devices across their networks. A compromise at this level could potentially expose entire device fleets to malicious actors, making prompt patching essential for security teams.
Security Teams Must Audit Access Logs
Organizations running FortiClient EMS should prioritize deploying these patches immediately to their environments. Security teams should also conduct thorough audits of their FortiClient EMS deployments to identify any unauthorized API access or privilege escalation attempts that may have occurred before patching.
This incident highlights the persistent threat landscape facing enterprise infrastructure. The combination of pre-authentication access and privilege escalation capabilities makes CVE-2026-35616 particularly dangerous, as attackers require minimal initial access to compromise affected systems. Organizations maintaining detailed access logs and monitoring capabilities should review recent activity for suspicious patterns consistent with exploitation attempts.