Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Cybersecurity in 2026 has entered a phase where every hour of delay in patching edge systems can mean the total compromise of a corporate network. Fortinet, one of the leaders in network security solutions, has just released critical out-of-band patches for a vulnerability in the FortiClient EMS (Endpoint Management Server) software. The situation is serious, as the manufacturer has officially confirmed that the vulnerability designated as CVE-2026-35616 is already being actively exploited by cybercriminals in "in the wild" attacks.

The scale of the problem is massive, reflected by a CVSS score of 9.1. We are dealing with a CWE-284 (Improper Access Control) class error that strikes at the very foundations of access management. In an era where remote infrastructure has become the backbone of global business, a flaw allowing authentication bypass at such a critical point as an endpoint management server represents a worst-case scenario for IT administrators.

Anatomy of the CVE-2026-35616 vulnerability

The CVE-2026-35616 vulnerability has been classified as a pre-authentication API access bypass. In practice, this means that an unauthorized attacker within network reach of the FortiClient EMS server can bypass the login process and gain access to API interfaces that should be rigorously protected. This is a direct path to privilege escalation, giving the intruder control over a system that is intended to monitor and secure thousands of endpoint devices within an organization.

The attack mechanism exploits flaws in API access control, allowing for the remote execution of administrative operations without possessing any credentials. Since FortiClient EMS is used for the centralized management of security policies, updates, and the protection status of employee computers, gaining control over it allows attackers to mass-distribute malware or disable security features on all connected workstations simultaneously.

It is worth noting the specifics of CWE-284 in this release. This is not a simple coding error, but a fundamental flaw in the authorization logic of requests directed to the server. In corporate environments where FortiClient EMS is often exposed to the network to support remote workers, the attack vector becomes extremely easy to exploit, explaining the rapid appearance of exploits in the hands of criminal groups.

Zscaler Report and the new era of AI threats

The publication of patches by Fortinet coincides with alarming data contained in the Zscaler ThreatLabz 2026 VPN Risk Report, prepared in collaboration with Cybersecurity Insiders. This report sheds new light on why vulnerabilities like CVE-2026-35616 are significantly more dangerous today than just a few years ago. According to analysts, artificial intelligence has drastically shortened the so-called "human response window" — the time humans have to react to an incident.

• Speed of exploitation: AI-based tools allow attackers to instantly scan the Internet for vulnerable FortiClient EMS servers and automatically generate exploits immediately after information about a bug is published.
• Remote access as a weak point: The report indicates that remote access has become the fastest path to breach, overtaking traditional phishing.
• Automation of escalation: After gaining access through an API vulnerability, AI scripts can perform network reconnaissance in seconds and identify an organization's most valuable assets.

The Zscaler analysis emphasizes that the traditional approach to patching systems in monthly cycles is no longer adequate for reality. Since AI can turn remote access into a highway for ransomware, every pre-authentication bypass vulnerability must be treated as a highest-priority fire. By choosing to release patches in an out-of-band mode, Fortinet is making it clear that the threat to FortiClient EMS users is immediate and real.

Technical implications for IT infrastructure

For security engineers, it is crucial to understand that CVE-2026-35616 does not require user interaction. An attacker does not need to send an infected email or count on an employee error. The entire process takes place at the machine-to-machine communication level. This makes FortiClient EMS systems that have not yet been updated de facto "open doors" to the interior of the company.

"Improper access control in an endpoint management system is a critical error because it undermines trust in the entire Zero Trust architecture that organizations are trying to build," industry experts note in the context of recent events.

The implementation of Fortinet patches should cover all FortiClient EMS instances, with particular emphasis on those accessible from a public IP address. In the current threat landscape, where Initial Access Brokers (IABs) hunt for edge systems, having an unpatched management server is equivalent to an invitation into the network. The CVE-2026-35616 specification suggests that attackers can not only steal data but also modify security configurations, making their presence extremely difficult to detect by standard EDR systems.

The necessity for an immediate update also stems from the fact that Fortinet rarely decides to communicate active exploitation of bugs unless it has hard evidence from telemetry systems. Since such a message has appeared, it means that campaigns exploiting this specific vulnerability are already underway. Organizations should not only deploy the patch but also review FortiClient EMS server logs for unusual API calls and privilege escalation attempts that may have occurred prior to the patch installation.

Remote access becomes an increasing risk

The FortiClient EMS incident fits into a broader trend where tools meant to protect infrastructure become targets themselves. The paradox is that the more advanced and centrally managed our security systems are, the greater the damage caused by a single error in their code. CVE-2026-35616 is further proof that the Endpoint Management software category must undergo rigorous API security audits.

In light of the data from Zscaler ThreatLabz, it is clear that the era of the "secure perimeter" has finally come to an end. The shortening of the reaction window by AI forces companies to move toward full patch automation and microsegmentation. If an attacker can bypass authentication in FortiClient EMS, the only barrier protecting the rest of the network is how deeply that server is isolated from the organization's critical assets.

Looking at the dynamics of threat development in 2026, it can be argued that critical vulnerabilities in access management systems will become the main driver for the evolution of network architecture. Companies that do not automate the process of deploying critical patches within minutes of their release will be constantly exposed to attacks whose pace exceeds the capabilities of manual human response. The case of Fortinet and CVE-2026-35616 is a brutal reminder that in the digital arms race, API bypass and privilege escalation are the most effective weapons in the modern cybercriminal's arsenal.