Critical Pre‑Auth API Bypass (CVE‑2026‑35616) in FortiClient EMS Actively Exploited – Out‑of‑Band Patch Issued
What It Is – Fortinet disclosed a critical pre‑authentication API access bypass in FortiClient Endpoint Management Server (EMS) that allows unauthenticated attackers to elevate privileges to full administrative control. The flaw (CVE‑2026‑35616) is rated CVSS 9.1 (Critical).
Exploitability – Threat actors are already exploiting the vulnerability in the wild; proof‑of‑concept code has been observed in underground forums. Fortinet issued an out‑of‑band patch to mitigate the issue.
Affected Products – FortiClient EMS 7.2.0‑7.2.5 (all supported releases) and any integrated FortiClient agents managed through the server.
TPRM Impact –
- Managed service providers (MSPs) and enterprises that rely on FortiClient EMS to enforce endpoint security face a direct supply‑chain risk.
- Successful exploitation can lead to lateral movement across the client environment, exposing sensitive data and compromising downstream third‑party services.
Recommended Actions –
- Deploy Fortinet’s out‑of‑band patch for FortiClient EMS immediately on all management servers.
- Verify the patch version (≥ 7.2.5‑P1) and confirm successful installation via the FortiGuard console.
- Conduct a rapid audit of EMS logs for any anomalous API calls or privilege‑escalation events dating back to the patch release.
- Rotate all EMS administrative credentials and enforce MFA for management console access.
- Isolate and re‑image any endpoints that may have been compromised before patching.
- Review third‑party contracts to ensure vendors have applied the patch and can provide proof of remediation.
Source: The Hacker News