# Fortinet Patches Critical Pre-Authentication Vulnerability in FortiClient EMS Under Active Exploit


Fortinet has released emergency patches to address a critical pre-authentication API access bypass vulnerability in FortiClient EMS that is actively being exploited in the wild. The flaw allows attackers to bypass authentication controls and escalate privileges on affected systems without requiring valid credentials, potentially granting unauthorized administrative access to enterprise endpoint management infrastructure.


## The Threat


FortiClient EMS (Endpoint Management Server) is a widely deployed centralized management platform used by organizations to monitor, configure, and control endpoint security across corporate environments. The vulnerability—tracked as CVE-2026-35616—stems from improper access control mechanisms in the API layer that allows pre-authenticated users to bypass security checks and gain elevated privileges.


The vulnerability is particularly dangerous because it requires no valid user credentials to exploit. An attacker with network access to the FortiClient EMS instance can craft malicious API requests to circumvent authentication controls and elevate their privileges to administrative levels. This provides a direct path to take over endpoint management infrastructure, potentially affecting thousands of client devices across an organization.


Security researchers have confirmed active exploitation of this vulnerability in real-world attacks. The exploitation has been observed in both targeted and opportunistic campaigns, indicating that threat actors have quickly weaponized the vulnerability. Organizations running unpatched FortiClient EMS instances are at immediate risk of compromise.


## Severity and Impact


| Attribute | Details |

|-----------|---------|

| CVE ID | CVE-2026-35616 |

| CVSS Score | 9.1 (Critical) |

| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |

| Attack Vector | Network |

| Attack Complexity | Low |

| Privileges Required | None |

| User Interaction | None |

| Scope | Unchanged |

| CWE | CWE-284 (Improper Access Control) |

| Exploitation Status | Active in the wild |


The CVSS score of 9.1 reflects the critical nature of this vulnerability. The low attack complexity and lack of privilege or user interaction requirements mean that exploitation is straightforward. Any networked attacker can potentially compromise a vulnerable FortiClient EMS instance without special knowledge or sophisticated attack techniques.


## Affected Products


The following Fortinet FortiClient EMS versions are vulnerable to CVE-2026-35616:


  • FortiClient EMS 7.0.0 through 7.0.10 (all 7.0.x versions)
  • FortiClient EMS 7.2.0 through 7.2.8 (all 7.2.x versions)

    • Organizations running any version in these ranges should prioritize patching immediately. Fortinet has released patched versions:

  • FortiClient EMS 7.0.11 and later (7.0.x branch)
  • FortiClient EMS 7.2.9 and later (7.2.x branch)

    • Note that FortiClient Endpoint Protection Agent (the client software deployed on workstations) is not affected by this vulnerability. The issue is isolated to the centralized management server component.


    ## Mitigations


    Immediate Actions:


    1. Apply patches urgently — Update FortiClient EMS to version 7.0.11 or 7.2.9 (depending on your current version) as soon as possible. Given the active exploitation and critical severity, this should be treated as an emergency patching cycle.


    2. Implement network segmentation — If immediate patching is not possible, restrict network access to the FortiClient EMS instance. Limit access to only authorized management workstations and administrative personnel. Use firewall rules to prevent direct API access from untrusted networks.


    3. Monitor API activity — Enable detailed logging on the FortiClient EMS API endpoints. Monitor for suspicious authentication bypass attempts, unusual privilege escalation requests, or unexpected administrative activity. Look for failed authentication followed by successful API calls that should require valid credentials.


    4. Review access logs — Audit historical API access logs to determine if your FortiClient EMS instance has been compromised. Look for evidence of unauthorized administrative account creation, privilege escalation events, or suspicious endpoint configuration changes.


    5. Reset credentials — After patching, reset all FortiClient EMS administrative credentials as a precautionary measure, particularly if you cannot conclusively verify that your system has not been compromised.


    6. Verify endpoint integrity — If there is any indication that your EMS has been compromised, conduct a thorough review of endpoint configurations pushed from the server. Verify that no unauthorized security policies, endpoint agents, or monitoring have been deployed to your client devices.


    ## References


  • [Fortinet Security Advisory - CVE-2026-35616](https://www.fortinet.com/content/dam/fortinet/assets/advisories/)
  • [Fortinet FortiClient EMS Release Notes](https://docs.fortinet.com/product/forticlient-ems/latest/release-notes)
  • [CVE-2026-35616 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-35616)
  • [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html)

    • For further security updates and vulnerability analysis, follow HackWire's cybersecurity coverage.


    ---


    Word count: 847 words