FortiClient EMS pre-authentication bypass enables unauthenticated privilege escalation in active exploitation
Fortinet released emergency patches for CVE-2026-35616, a pre-authentication API access control flaw in FortiClient EMS that allows unauthenticated attackers to escalate privileges. The vulnerability is being actively exploited in the wild.
CVE References
Affected
CVE-2026-35616 represents a failure in API authentication architecture within Fortinet's endpoint management solution. The pre-authentication access control bypass (CWE-284) permits attackers to interact with privileged API endpoints without valid credentials, subsequently escalating permissions to perform administrative actions. With a CVSS score of 9.1, this sits at the intersection of high accessibility and severe impact.
The vulnerability's active exploitation in the wild indicates threat actors have already weaponised the flaw. Pre-authentication bypasses in management platforms are particularly severe because FortiClient EMS typically acts as the security control point for enterprise endpoints. Compromising it provides attackers with lateral movement capabilities, policy manipulation, and visibility across the managed device estate.
Organisations running FortiClient EMS should treat the out-of-band patch as emergency priority. The combination of zero authentication requirements and privilege escalation means standard network segmentation may not provide adequate protection if the management interface is accessible. Administrators should immediately apply patches, then review access logs for signs of exploitation, particularly looking for unusual API requests to the management console.
This incident reflects a broader pattern where management and orchestration platforms become high-value targets precisely because they abstract authentication and authorisation across large device populations. The assumption that EMS interfaces are internally protected often conflates network isolation with authentication robustness. Fortinet's need to issue an out-of-band patch suggests detection in production environments may be difficult without specific monitoring for failed API access attempts.
Defenders should verify patch deployment across all FortiClient EMS instances, implement API authentication logging separately from application logs, and consider whether EMS management interfaces require additional authentication layers such as multi-factor authentication or certificate pinning from legitimate management clients.
Sources