Fortinet Patches CVE-2026-35616: Critical EMS Flaw Exploited

Fortinet Issues Emergency Patch for Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet has released a critical security patch addressing CVE-2026-35616, a high-severity privilege escalation vulnerability in FortiClient Endpoint Management Server (EMS) that threat actors have been actively exploiting since at least March 31, 2026. Carrying a CVSS score of 9.1, the flaw affects FortiClient EMS versions 7.4.5 through 7.4.6 and represents one of the most urgent patching priorities for enterprise security teams this quarter. Organizations relying on Fortinet's remote access infrastructure are urged to apply the fix immediately.

Vulnerability Details: What Is CVE-2026-35616?

CVE-2026-35616 is a privilege escalation vulnerability residing within Fortinet's FortiClient Endpoint Management Server. The flaw allows an attacker — potentially one who has already gained a foothold on a network via low-privileged access — to elevate their permissions to a higher level, effectively taking control of managed endpoints or the EMS infrastructure itself.

CVE ID: CVE-2026-35616
CVSS Score: 9.1 (Critical)
Affected Versions: FortiClient EMS 7.4.5 and 7.4.6
Impact: Privilege escalation leading to full system compromise
Exploitation Status: Actively exploited in the wild since March 31, 2026

The critical CVSS rating reflects the ease of exploitation combined with the severe potential impact. Because FortiClient EMS serves as a centralized management plane for endpoint security policies, a successful exploitation can cascade across an entire organization's managed device fleet.

Active Exploitation: A Race Against Attackers

The confirmation that this vulnerability has been exploited in the wild since March 31, 2026, means organizations running affected versions have been exposed for weeks. Threat actors have historically weaponized Fortinet vulnerabilities rapidly, often within days of public disclosure — and in this case, exploitation appears to have preceded widespread awareness.

Security teams should treat this as an active incident response scenario, not merely a routine patch cycle. Any FortiClient EMS deployment running versions 7.4.5 or 7.4.6 should be assumed potentially compromised until patched and forensically reviewed.

"Remote access infrastructure has become the fastest path to breach. VPN and endpoint management systems sit at the intersection of trust and exposure — a single unpatched flaw can unravel an entire security architecture."

The Broader VPN Risk Landscape in 2026

This vulnerability does not exist in a vacuum. The Zscaler ThreatLabz 2026 VPN Risk Report, produced in partnership with Cybersecurity Insiders, paints a sobering picture of the remote access threat landscape. The report highlights how the convergence of AI-assisted attack tooling and legacy VPN infrastructure has dramatically compressed the window between initial access and full compromise.

Key findings from the report underscore the systemic risk:

AI-assisted attack frameworks have collapsed the human response window, enabling attackers to move laterally faster than security teams can detect and contain.
Remote access solutions, including VPN gateways and endpoint management servers, represent the fastest-growing attack surface for initial access brokers and ransomware operators.
Organizations continuing to rely on perimeter-based VPN architectures face disproportionately higher breach rates compared to those adopting zero-trust network access (ZTNA) models.

CVE-2026-35616 is a textbook example of how this risk manifests: a trusted enterprise tool, widely deployed for legitimate remote access management, becomes the attacker's preferred pivot point.

Who Is at Risk?

Any organization running FortiClient EMS versions 7.4.5 or 7.4.6 is directly affected. FortiClient EMS is commonly deployed in medium-to-large enterprise environments, government agencies, and managed service providers (MSPs) that centrally manage endpoint security policies across distributed workforces. Given the remote-work-heavy posture of modern organizations, the attack surface is substantial.

MSPs and MSSPs managing multiple client environments through a shared FortiClient EMS instance face compounded risk — a single exploitation event could potentially affect multiple downstream organizations simultaneously.

Recommended Mitigations and Remediation Steps

Fortinet has issued patches addressing CVE-2026-35616. Security teams should take the following actions immediately:

Apply the patch: Upgrade FortiClient EMS to the latest available version that addresses CVE-2026-35616. Consult Fortinet's official security advisory for the specific patched release.
Audit access logs: Review EMS access and event logs for signs of anomalous privilege escalation activity, particularly between March 31, 2026, and today.
Restrict EMS exposure: Ensure the FortiClient EMS management interface is not exposed directly to the internet. Limit access via network segmentation and strict firewall rules.
Enable multi-factor authentication: MFA on all administrative accounts connected to EMS reduces the risk of credential-based initial access leading to exploitation.
Implement least privilege: Audit service accounts and administrative roles within EMS to ensure minimal permissions are granted, limiting the blast radius of any successful escalation attempt.
Monitor for indicators of compromise (IoCs): Work with your threat intelligence provider to identify any published IoCs associated with active exploitation of this CVE.

The Case for Zero-Trust in Remote Access Architecture

Beyond the immediate patching imperative, CVE-2026-35616 reinforces the strategic argument for moving away from legacy VPN-centric architectures toward Zero Trust Network Access (ZTNA). When a single component like FortiClient EMS — which occupies a position of deep trust within the network — carries a critical exploitable flaw, the consequences are amplified by the implicit trust model underlying traditional VPNs.

ZTNA principles, including continuous verification, least-privilege micro-segmentation, and device posture checks, limit the damage any single compromised component can cause. The 2026 VPN Risk Report data suggests organizations accelerating ZTNA adoption experience significantly lower dwell times and reduced blast radius when breaches do occur.

Conclusion: Patch Now, Audit Immediately

CVE-2026-35616 is a critical, actively exploited vulnerability that demands immediate action. With a CVSS score of 9.1 and confirmed exploitation dating back to March 31, 2026, every day without a patch is a day of continued exposure. Security teams should treat this as a priority-one incident: patch affected FortiClient EMS deployments, conduct thorough log reviews, and assess whether exploitation may have already occurred within your environment.

The broader lesson from this vulnerability — and from the 2026 VPN Risk Report — is clear: remote access infrastructure is prime adversarial real estate, and the organizations that treat it as such, investing in timely patching, zero-trust architecture, and continuous monitoring, are far better positioned to withstand the increasingly AI-accelerated threat landscape of 2026.