Critical Pre‑Auth API Bypass in FortiClient EMS (CVE‑2026‑35616) Actively Exploited – Urgent Patch Required
What It Is – Fortinet disclosed CVE‑2026‑35616, a critical improper‑access‑control flaw (CWE‑284) in FortiClient EMS that lets an unauthenticated attacker bypass authentication via a pre‑auth API and execute arbitrary commands.
Exploitability – The vulnerability is actively exploited in the wild; Fortinet observed exploitation and released out‑of‑band patches. CVSS 9.1 (Critical).
Affected Products – FortiClient EMS 7.4.5 and 7.4.6 (hotfixes available); permanent fix slated for 7.4.7.
TPRM Impact – The EMS platform is often deployed by MSPs and large enterprises to manage thousands of endpoints. A compromised EMS server can become a foothold for lateral movement, data exfiltration, or ransomware across multiple third‑party environments.
Recommended Actions –
- Deploy the FortiClient EMS hotfixes for 7.4.5 and 7.4.6 immediately.
- Verify patch status on all managed endpoints and EMS servers.
- Enable strict API logging and monitor for anomalous pre‑auth calls.
- Segment EMS infrastructure from critical assets and enforce least‑privilege network zones.
- Subscribe to Fortinet’s threat‑intel feeds for IOCs related to this exploit.
Source: SecurityAffairs – CVE‑2026‑35616 Fortinet fixes actively exploited high‑severity flaw