Fortinet Releases Emergency Patch for Actively Exploited FortiClient EMS Zero-Day — CVE-2026-35616

Summary

Fortinet has issued an emergency hotfix for CVE-2026-35616, a critical improper access control vulnerability in FortiClient Enterprise Management Server (EMS). The flaw enables unauthenticated attackers to execute arbitrary code or commands through specially crafted requests, and has been confirmed as actively exploited in the wild.

FortiClient EMS is widely deployed in enterprise environments to centrally manage endpoint security agents across thousands of devices. The vulnerability affects the management console’s authentication layer, meaning attackers can bypass security controls entirely without valid credentials. Fortinet has urged all customers to apply the hotfix immediately.

Source

Reported by Check Point Research and The Hacker News.

Commentary

Fortinet products continue to be a magnet for zero-day exploitation, and at this point it’s almost a quarterly tradition. FortiClient EMS is particularly dangerous as a target because compromising the management server gives attackers control over the very tool designed to protect endpoints — it’s the keys to the kingdom.

The pattern is familiar: critical Fortinet vuln drops, active exploitation is already happening, and organizations scramble to patch. If you’re still treating Fortinet patches as “we’ll get to it in the next maintenance window,” you’re playing a losing game. These need to be treated as incident-response-priority patches. If your EMS is internet-facing (and many are, for remote device management), assume compromise until proven otherwise.