Fortinet, a global leader in cybersecurity solutions, has released an out-of-band patch addressing a critical security flaw, tracked as CVE-2026-35616, impacting its FortiClient EMS (Endpoint Management System) software. The vulnerability, which carries a severe CVSS score of 9.1, has been confirmed to be actively exploited in the wild as a zero-day threat, prompting an urgent call for all affected organizations to apply the hotfix immediately. This incident marks the second critical, unauthenticated vulnerability in FortiClient EMS to come under active attack within weeks, raising significant concerns across the cybersecurity landscape.
The Critical Flaw: Pre-Authentication API Access Bypass and Privilege Escalation
The newly disclosed vulnerability, identified as CVE-2026-35616, is a pre-authentication API access bypass that can lead directly to privilege escalation. Fortinet’s advisory describes it as an "improper access control vulnerability [CWE-284] in FortiClient EMS" that could enable an unauthenticated attacker to "execute unauthorized code or commands via crafted requests." This classification as a pre-authentication flaw is particularly alarming, as it means an attacker does not need valid credentials to initiate an attack, effectively allowing them to bypass the initial layer of security and gain a foothold into the system.
A CVSS score of 9.1 places this vulnerability firmly in the "Critical" severity category. The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of computer system security vulnerabilities. A score in this range indicates that the vulnerability is easily exploitable by a remote attacker, often with low complexity, and can lead to complete compromise of the affected system’s confidentiality, integrity, and availability. In the context of CVE-2026-35616, the ability for an unauthenticated attacker to execute arbitrary code or commands on a system responsible for managing endpoints across an organization presents a catastrophic risk. Such an exploit could grant an attacker deep access into an enterprise network, enabling data exfiltration, deployment of ransomware, or establishment of persistent access for future attacks.
The vulnerability specifically targets FortiClient EMS versions 7.4.5 through 7.4.6. FortiClient EMS is a centralized management console designed to provide full visibility and control over FortiClient endpoints, including features like endpoint compliance, software deployment, and vulnerability management. Given its critical role in managing an organization’s endpoint security posture, any compromise of FortiClient EMS can have widespread and severe repercussions, potentially undermining the entire security fabric of an enterprise.
Discovery and Early Exploitation Timeline
The discovery and subsequent reporting of CVE-2026-35616 are credited to Simo Kohonen from Defused Cyber and Nguyen Duc Anh. Their diligent work brought this critical flaw to Fortinet’s attention, enabling the vendor to develop and release the necessary patches.
However, the disclosure came amidst active exploitation observations, transforming the vulnerability into a "zero-day" threat – a vulnerability that is exploited by attackers before the vendor has a patch available or before users can reasonably apply it. According to Defused Cyber, they observed zero-day exploitation of CVE-2026-35616 "earlier this week." Further corroboration came from watchTowr, a cybersecurity firm, which reported that its honeypots – decoy systems designed to attract and monitor malicious activity – first recorded exploitation attempts against CVE-2026-35616 on March 31, 2026. This timeline indicates a rapid weaponization of the flaw, with attackers quickly moving to leverage the vulnerability once it became known, or even before public disclosure. The fact that attackers were already actively exploiting this vulnerability underscores the sophisticated nature of modern cyber threats and the continuous race between defenders and malicious actors.
The swift transition from discovery to in-the-wild exploitation highlights the immediate danger posed by such critical flaws. Cybersecurity teams often face a narrow window of opportunity to deploy patches before attackers can successfully compromise vulnerable systems. This particular incident serves as a stark reminder of the importance of proactive threat intelligence and rapid incident response capabilities for organizations globally.
Fortinet’s Response and Urgent Recommendations
In response to the active exploitation, Fortinet issued an out-of-band advisory (FG-IR-26-099) on a Saturday, a move typically reserved for vulnerabilities deemed extremely critical and requiring immediate attention outside of regular patch cycles. The company confirmed that it has "observed this to be exploited in the wild" and "urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6."
The immediate solution provided by Fortinet is a hotfix designed to address the vulnerability in the affected versions. While a full, integrated patch is expected to be included in the upcoming FortiClient EMS version 7.4.7, the hotfix serves as an emergency measure to mitigate the immediate threat. Organizations running the vulnerable versions are strongly advised not to wait for the general release of 7.4.7 but to apply the hotfix without delay. The process of applying hotfixes can sometimes be more involved than standard updates, but the severity of this zero-day exploitation necessitates prioritizing this action.
Fortinet’s prompt action in releasing an out-of-band patch demonstrates its commitment to addressing critical security issues, especially when active exploitation is confirmed. However, the recurring nature of such high-severity flaws also places a significant burden on their customer base, who must constantly remain vigilant and prepared for rapid patching cycles.
Broader Context: A Pattern of Vulnerabilities in FortiClient EMS
This latest critical vulnerability, CVE-2026-35616, does not exist in isolation. It follows closely on the heels of another recently patched, critical vulnerability in FortiClient EMS, CVE-2026-21643, which also carried a CVSS score of 9.1 and came under active exploitation. The proximity of these two events – both involving critical, unauthenticated flaws in the same product and both being actively exploited – is highly concerning for the cybersecurity community.
The existence of two such severe vulnerabilities within weeks suggests potential underlying architectural weaknesses or a concentrated effort by threat actors to target FortiClient EMS. While it is currently unknown if the same threat actor is responsible for exploiting both flaws, or if they are being weaponized in tandem as part of a multi-stage attack, the possibility cannot be ruled out. Coordinated exploitation of multiple vulnerabilities could allow attackers to establish more resilient access or achieve deeper network penetration.
This pattern of high-severity vulnerabilities in a widely deployed enterprise product like FortiClient EMS underscores a broader challenge in software security. Complex enterprise software, especially those managing critical infrastructure like endpoints, often presents a large attack surface. Even with rigorous testing, sophisticated vulnerabilities can elude detection until they are discovered by researchers or, more alarmingly, by malicious actors.
The "Holiday Weekend" Exploitation Strategy and Its Implications
A particularly salient point highlighted by cybersecurity experts is the timing of the observed exploitation. Benjamin Harris, CEO and founder of watchTowr, noted that "The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental." He further explained to The Hacker News that "Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity."
This observation underscores a common and effective tactic employed by advanced persistent threat (APT) groups and other sophisticated attackers. By launching attacks during holiday periods or weekends, they aim to exploit reduced staffing levels in security operations centers (SOCs), slower response times, and general organizational downtime. This strategic timing allows them to gain a significant "head start" in their operations, potentially compromising systems, establishing persistence, and exfiltrating data before their activities are detected and remediated. The Easter holiday, coinciding with the release of this critical patch, fits perfectly into this attacker modus operandi.
Harris’s strong admonition, "So, once again, organizations running FortiClient EMS and exposed to the Internet should treat this as an emergency response situation, not something to pick up on Tuesday morning. Apply the hotfix. Attackers already have a head start," serves as a critical warning. It emphasizes that even outside of regular business hours, the threat landscape remains active and unforgiving. Organizations must maintain robust 24/7 incident response capabilities and ensure that critical patching procedures can be executed promptly, regardless of the calendar.
Implications for Organizations and Cybersecurity Posture
The exploitation of CVE-2026-35616 carries profound implications for organizations relying on FortiClient EMS. Successful exploitation could lead to:
- Massive Compromise: As FortiClient EMS manages a multitude of endpoints, a compromise of the central server could allow attackers to push malicious updates, install malware, or gain control over every managed endpoint within an organization’s network.
- Data Breaches and Intellectual Property Theft: With elevated privileges and arbitrary code execution capabilities, attackers could access sensitive data stored on endpoints or within the network, leading to significant data breaches, regulatory fines, and reputational damage.
- Ransomware Deployment: The ability to execute unauthorized code makes FortiClient EMS an ideal conduit for deploying ransomware across an entire organization, causing widespread operational disruption and significant financial losses.
- Supply Chain Attacks: If an attacker can manipulate the EMS to distribute malicious software as legitimate updates, it could facilitate a supply chain attack, impacting not only the directly affected organization but also its customers or partners.
- Undermining Trust: For Fortinet, repeated critical vulnerabilities in a key product can erode customer trust and confidence, leading to scrutiny over their security development lifecycle and quality assurance processes. For affected organizations, a successful breach via this vulnerability can shatter customer and stakeholder trust.
To mitigate these risks, organizations must adopt a proactive and multi-layered cybersecurity strategy. This includes:
- Immediate Patching: Prioritize the application of the hotfix for FortiClient EMS 7.4.5 and 7.4.6. This is non-negotiable for exposed systems.
- Vulnerability Management: Implement robust vulnerability scanning and patch management programs that ensure timely identification and remediation of security flaws across all software and infrastructure.
- Endpoint Detection and Response (EDR): Deploy and continuously monitor EDR solutions on all endpoints to detect and respond to suspicious activities that might indicate post-exploitation attempts.
- Network Segmentation: Implement strict network segmentation to limit the lateral movement of attackers, even if an initial compromise occurs.
- API Security Best Practices: Strengthen API security protocols, including rigorous authentication, authorization, input validation, and rate limiting for all exposed APIs.
- Incident Response Planning: Develop and regularly test comprehensive incident response plans, ensuring that teams are prepared to handle zero-day exploitation scenarios, especially during non-business hours.
- Threat Intelligence: Subscribe to and actively monitor threat intelligence feeds to stay informed about emerging vulnerabilities and active exploitation campaigns.
Conclusion
The disclosure and active exploitation of CVE-2026-35616 in FortiClient EMS represent a critical moment for cybersecurity professionals. It underscores the relentless nature of the threat landscape, where sophisticated attackers are constantly seeking and exploiting weaknesses, often leveraging strategic timing like holiday weekends. Fortinet’s swift release of an out-of-band patch provides a crucial defense, but the onus remains on organizations to act with extreme urgency. The recurrence of severe, unauthenticated vulnerabilities in such a vital enterprise tool demands not only immediate remediation but also a deeper examination of security postures and resilience strategies. In an era where every minute counts, proactive vigilance and rapid response are the only reliable shields against the ever-evolving tide of cyber threats.