Fortinet has issued emergency security updates to address a critical vulnerability in its FortiClient Enterprise Management Server (EMS) software that is already being actively exploited. The company released the patches outside its normal schedule on March 12, 2024, underscoring the severity of the threat. The flaw allows unauthorized attackers to bypass security controls and gain elevated system privileges, posing a significant risk to organizations using the affected network security software.
The vulnerability is tracked as CVE-2026-35616 and carries a high Common Vulnerability Scoring System (CVSS) score of 9.1. Fortinet’s advisory classifies the issue as an “improper access control” weakness, specifically citing the Common Weakness Enumeration (CWE) identifier CWE-284. This type of flaw typically involves failures in the mechanisms that restrict access to sensitive functionality or data.
Technical Details of the Security Flaw
According to the cybersecurity firm, the vulnerability exists in the FortiClient EMS application programming interface (API). It is a pre-authentication bypass, meaning an attacker can exploit it without needing valid login credentials. Successful exploitation leads directly to privilege escalation, granting the attacker higher-level permissions on the compromised system than intended.
FortiClient EMS is a centralized management platform used by IT administrators to deploy, monitor, and update FortiClient endpoints across an organization. A compromise of this management server could provide an attacker with a powerful foothold within a corporate network, potentially enabling further attacks on connected devices and systems.
Availability of Patches and Affected Versions
Fortinet has made patches available for multiple versions of FortiClient EMS to mitigate the risk. The company urges all customers to immediately upgrade to the fixed versions. The patched releases include FortiClient EMS version 7.2.4 and all subsequent builds, version 7.0.12 and later, and version 6.4.14 and later for those on older maintenance tracks.
Organizations that cannot apply the update immediately are advised to implement specific workarounds suggested by Fortinet. These temporary measures typically involve restricting network access to the management interface, though applying the official security patch remains the definitive solution.
Context of Active Exploitation
In its advisory, Fortinet stated the vulnerability “has been exploited in the wild.” This phrase indicates that the company is aware of real-world attacks leveraging the flaw before the patch was widely available. The disclosure follows a pattern of threat actors, including state-sponsored groups, frequently targeting vulnerabilities in network perimeter devices like firewalls and management servers.
Security researchers note that management consoles are high-value targets for cybercriminals. Compromising a single management server can often lead to control over hundreds or thousands of endpoint security clients, effectively disabling an organization’s frontline defenses on employee devices.
Broader Implications for Enterprise Security
This incident highlights the ongoing challenge of securing complex enterprise software stacks. The critical nature of the vulnerability and its active exploitation necessitates rapid response from security teams worldwide. It also reinforces the importance of maintaining an updated inventory of all software assets and having a reliable process for deploying urgent security patches.
Other cybersecurity vendors frequently monitor such disclosures from competitors. They often use the information to hunt for similar weaknesses in their own products or to update their threat detection systems to identify attack patterns associated with the new exploit.
Fortinet is expected to continue monitoring the situation for any changes in the threat landscape related to CVE-2026-35616. The company typically provides additional guidance through its Product Security Incident Response Team (PSIRT) portal if new information emerges. Customers are advised to subscribe to Fortinet’s security advisories for the latest official updates and to prioritize the patching of this critical vulnerability in their security operations cycle.
Source: Fortinet Security Advisory
