Originally reported by Security Affairs
TL;DR
Fortinet issued out-of-band patches for CVE-2026-35616, a CVSS 9.1 authentication bypass vulnerability in FortiClient EMS that attackers are actively exploiting. The improper access control flaw allows threat actors to bypass authentication mechanisms in the endpoint management system.
CVSS 9.1 vulnerability in enterprise security infrastructure with confirmed active exploitation warrants immediate attention. Authentication bypass flaws in endpoint management systems pose severe risk to organizational security posture.
Fortinet has released emergency patches for CVE-2026-35616, a critical authentication bypass vulnerability in FortiClient Endpoint Management Server (EMS) that threat actors are actively exploiting in the wild. The vulnerability carries a CVSS score of 9.1, reflecting its severe impact on enterprise security infrastructure.
The flaw stems from an improper access control implementation that allows attackers to bypass authentication mechanisms within FortiClient EMS. This endpoint management platform serves as a centralized control point for managing FortiClient installations across enterprise networks, making it a high-value target for threat actors seeking to establish persistence or lateral movement capabilities.
Authentication bypass vulnerabilities in endpoint management systems present particularly severe risks, as successful exploitation can provide attackers with administrative access to endpoint security controls across an organization's infrastructure.
The combination of active exploitation and the critical nature of the affected system demands immediate patching. Organizations running FortiClient EMS should prioritize applying the emergency patches released by Fortinet.
Given the active exploitation status, security teams should also conduct thorough reviews of FortiClient EMS logs for indicators of compromise and unauthorized access attempts that may have occurred before patch deployment.
This incident follows a pattern of threat actors increasingly targeting enterprise security infrastructure components. Endpoint management systems represent attractive targets due to their privileged access across corporate networks and their potential to facilitate large-scale compromises.
The rapid release of out-of-band patches suggests Fortinet became aware of active exploitation through threat intelligence or customer reports, highlighting the ongoing threat to unpatched systems.
Originally reported by Security Affairs
