Fortinet has taken urgent action by releasing out-of-band security patches to address a critical vulnerability in its FortiClient Enterprise Management Server (EMS). Tracked as CVE-2026-35616 with a high CVSS score of 9.1, this flaw is an improper access control vulnerability (CWE-284) within the pre-authentication API. The company has confirmed that this vulnerability is being actively exploited in the wild, elevating the threat to an immediate and severe risk for organizations using the unpatched software.
The core of the vulnerability lies in a bypass mechanism that allows an unauthenticated attacker to send specially crafted requests to the FortiClient EMS API. By exploiting this flaw, a threat actor can circumvent normal authentication checks, gaining unauthorized access to the management system. This access can then be leveraged to perform privilege escalation, potentially granting administrative control over the entire FortiClient EMS deployment. Such control could enable an attacker to deploy malicious software, manipulate security policies, steal sensitive endpoint data, or use the compromised server as a foothold for lateral movement within the corporate network.
Given the confirmed in-the-wild exploitation, Fortinet's release of out-of-band patches—outside its typical scheduled update cycle—underscores the severity. Administrators responsible for FortiClient EMS versions 7.2.0 through 7.2.2 and versions 7.0.0 through 7.0.10 must apply the provided updates immediately. The fixed versions are 7.2.3 and 7.0.11, respectively. As a critical mitigation step, organizations should also consider restricting network access to the EMS management interface, ensuring it is not exposed directly to the internet, and monitoring logs for any suspicious API activity originating from untrusted sources.
This incident is a stark reminder of the risks associated with centralized endpoint management systems, which are high-value targets for cybercriminals. A compromise of an EMS server can undermine the security posture of every managed endpoint. Organizations are advised to not only apply this patch promptly but also to review their broader vulnerability management and network segmentation strategies to protect critical administrative infrastructure from similar future threats.
