Fortinet Patches a Critical Flaw — After Attackers Already Found It
Fortinet has released an emergency out-of-band patch for CVE-2026-35616, a critical vulnerability in FortiClient EMS carrying a CVSS score of 9.1. The patch didn't arrive as a precaution. Fortinet confirmed the flaw was actively exploited in the wild before the fix was published. That detail matters. An out-of-band release means Fortinet broke from its normal patching schedule because the risk was too high to wait. When a vendor does that, the threat is real and the window between exposure and exploitation is already closing — or has closed entirely. FortiClient EMS (Endpoint Management Server) is the centralised management platform organisations use to control FortiClient deployments across their estate. It handles policy enforcement, telemetry, and endpoint compliance. Compromising it doesn't just affect one machine. It hands an attacker a vantage point over the entire managed endpoint environment.
What Does CVE-2026-35616 Actually Do?
CVE-2026-35616 is classified as an improper access control vulnerability (CWE-284). In plain terms: the API layer in FortiClient EMS does not properly verify whether a request comes from an authenticated user before acting on it. An attacker who hasn't logged in — who has no valid credentials whatsoever — can send a crafted request to the API and bypass that authentication gate entirely. Once through, they can escalate privileges within the system. Think of it like a hotel where the staff entrance has a keycard reader, but the door swings open if you knock in a specific pattern, regardless of whether you have a key. You're inside without authorisation, and once inside, you can access rooms the keycard was supposed to protect. Pre-authentication flaws like this are particularly dangerous because they eliminate the most common early warning signal defenders rely on: failed login attempts. There are no brute-force alerts, no credential stuffing indicators, no anomalous authentication events. The attacker walks through a door that was never properly locked.
- CVSS score: 9.1 (Critical)
- Vulnerability class: Improper Access Control (CWE-284)
- Attack vector: Pre-authentication API bypass
- Impact: Privilege escalation within FortiClient EMS
- Exploitation status: Confirmed active exploitation in the wild
Why Pre-Authentication Flaws Are a Defender's Nightmare
Most security monitoring is calibrated around authenticated sessions. Behavioural baselines, anomaly detection, and user risk scoring all assume that a legitimate user identity is attached to the activity being analysed. Pre-authentication exploits sidestep that entire model. By the time an attacker has exploited CVE-2026-35616 and escalated their privileges, the damage is already several steps ahead of detection. In a managed endpoint environment, elevated access to the EMS platform means the attacker can potentially push policy changes, disable security controls, or read telemetry data about the organisation's entire endpoint estate. This is also why the out-of-band release cadence is a red flag worth paying attention to. Fortinet publishes a regular patch cycle. Departing from that cycle is a deliberate signal to the security community: do not wait for the next scheduled update. Patch now. According to data tracked by the Cybersecurity and Infrastructure Security Agency (CISA), Fortinet vulnerabilities have appeared on the Known Exploited Vulnerabilities (KEV) catalogue repeatedly since 2022, including CVE-2022-40684, CVE-2023-27997, and CVE-2024-21762. The pattern is consistent: Fortinet products are high-value targets, and threat actors move quickly once a flaw is confirmed.
Who Is Exposed Right Now?
Any organisation running a vulnerable version of FortiClient EMS that hasn't yet applied the patch is exposed. FortiClient EMS is widely deployed across enterprise environments — it's the management backbone for organisations that have standardised on Fortinet's endpoint security suite. The exposure isn't limited to the EMS server itself. Because the platform manages endpoint policy and telemetry across an estate, a successful attack against it creates a lateral movement opportunity. An attacker with elevated access in the management plane can observe, manipulate, or disable the very tools designed to detect them on endpoints. For organisations with internet-facing FortiClient EMS deployments, the risk is higher still. The pre-authentication nature of the exploit means exposure to the public internet is the only precondition. There's no need for the attacker to phish an employee or steal credentials first. The honest assessment: if you use FortiClient EMS and you haven't confirmed your patch status in the last 48 hours, you should do that before anything else.
The Bigger Pattern: Unpatched Management Interfaces Are a Strategic Target
CVE-2026-35616 is not an isolated incident. It fits a well-documented pattern that threat intelligence teams have tracked for the past three years: attackers are deliberately targeting management and orchestration platforms rather than individual endpoints. The logic is straightforward. Compromising one endpoint gives you one foothold. Compromising the platform that manages thousands of endpoints gives you the keys to the estate. Management interfaces, API gateways, and centralised control planes have become the primary target category for sophisticated threat actors. This is exactly the threat model that continuous attack surface management is designed to expose before attackers exploit it. Tools like Hadrian, which Kyanite Blue offers to clients across the UK and internationally, continuously scan and assess an organisation's external attack surface — including exposed management interfaces, unpatched services, and API endpoints that shouldn't be publicly reachable. The value isn't in finding vulnerabilities after the fact. It's in identifying the exposure before the CVE drops and certainly before active exploitation begins. If your FortiClient EMS management interface was reachable from the internet, an attack surface management platform would flag that as a risk worth addressing — independent of whether a specific CVE existed for it. Reducing the attack surface is a control that works even when you don't yet know what the next vulnerability will be. You can learn more about how Hadrian works at /products/hadrian.
Patch Urgency and What to Do in the Next 24 Hours
Fortinet has published guidance and patches for CVE-2026-35616. The immediate actions are clear: First, identify every instance of FortiClient EMS in your environment. This sounds obvious, but in larger organisations with distributed IT ownership, shadow deployments or legacy management servers can sit untracked. Second, check the version running against Fortinet's advisory. Apply the out-of-band patch immediately. This is not a 'schedule it for the next maintenance window' situation. Active exploitation means the threat is current. Third, review network access controls for your EMS deployment. If the management interface is reachable from the public internet, restrict access to known IP ranges or move it behind a VPN. This doesn't replace patching, but it reduces the attack surface while the patch is being deployed. Fourth, check your logs for anomalous API activity against the EMS server going back at least 14 days. Given that exploitation was confirmed before the patch released, there's a realistic possibility that some environments were targeted before defenders were aware of the vulnerability. If you see unusual API calls or unexpected privilege changes in that window, treat it as a potential indicator of compromise and investigate accordingly.
- Apply Fortinet's out-of-band patch for CVE-2026-35616 immediately
- Audit all FortiClient EMS instances across your estate, including unmanaged or legacy deployments
- Restrict network access to the EMS management interface — internet exposure is not acceptable for this service
- Review API access logs for anomalous activity over the past 14 days
- If you find suspicious activity, escalate to your incident response team — don't assume it's benign
How to Protect Your Business From Vulnerabilities Like This
The core problem CVE-2026-35616 exposes is not just a Fortinet issue. It's a visibility problem. Organisations frequently don't know what's exposed until a CVE makes the news — and by then, exploitation may already be under way. Hadrian, available through Kyanite Blue, takes a continuous outside-in view of your attack surface. It maps what's reachable from the internet, identifies misconfigured or exposed management interfaces, and flags API endpoints that carry risk — including the kind of exposure that makes pre-authentication exploits possible. If your FortiClient EMS server was reachable before this patch dropped, Hadrian would have flagged that management interface as an external risk well before CVE-2026-35616 became a headline. You can explore how Hadrian works for your environment at /products/hadrian. For organisations concerned about what else might be exposed across their estate, Sophos MDR provides 24/7 managed detection and response — meaning that even when a patch hasn't yet been applied, a team of analysts is actively hunting for the behavioural indicators that suggest exploitation is in progress. Sophos MDR can detect lateral movement and privilege escalation activity even when the initial entry point bypasses authentication controls. More details are available at /products/sophos. For UK businesses, Coro's unified security platform adds an additional layer of endpoint and network monitoring that can surface anomalous behaviour at the endpoint level — useful when an attacker has already gained elevated access to a management platform and is using it to interact with endpoints (/products/coro). The most effective time to find an exposed management interface is before a threat actor does. If you want to know what your organisation looks like from the outside right now, our team can run an attack surface assessment and give you a clear picture of your current exposure. Take a free security assessment at /contact — it takes less than 10 minutes to get started and gives you something actionable, not a sales deck.
Frequently Asked Questions
What is CVE-2026-35616 and why is it critical?
CVE-2026-35616 is a pre-authentication API access bypass vulnerability in Fortinet's FortiClient EMS, rated CVSS 9.1. It allows an unauthenticated attacker to bypass access controls and escalate privileges within the endpoint management platform. Fortinet confirmed active exploitation before releasing an emergency out-of-band patch in April 2026.
Should I patch FortiClient EMS immediately even if my server isn't internet-facing?
Yes. While internet-facing deployments carry the highest immediate risk, privilege escalation within FortiClient EMS can have estate-wide consequences regardless of how access was initially gained. Active exploitation has been confirmed, so patching should be treated as urgent across all deployments, not just externally accessible ones.
How can attack surface management help prevent vulnerabilities like CVE-2026-35616?
Attack surface management tools like Hadrian continuously scan your external-facing environment to identify exposed services and management interfaces before attackers find them. Even without a specific CVE, an internet-accessible management platform like FortiClient EMS would be flagged as a high-risk exposure, giving you time to remediate before exploitation begins.