New FortiClient EMS flaw exploited in attacks, emergency patch released
Fortinet Issues Emergency Patch for Actively Exploited FortiClient EMS Vulnerability
TL;DR
Fortinet released an emergency security update over the weekend for CVE-2026-35616, a critical vulnerability in FortiClient Enterprise Management Server (EMS) that attackers are actively exploiting in the wild. Organizations using FortiClient EMS should apply the patch immediately as this flaw could enable complete system compromise.
What Happened
According to BleepingComputer's reporting, Fortinet pushed out an unscheduled security patch on April 5th for a newly discovered critical vulnerability in FortiClient Enterprise Management Server. The vulnerability, tracked as CVE-2026-35616, is already being exploited by threat actors in active attacks, prompting the vendor to break their normal patch cycle and issue an emergency weekend update.
FortiClient EMS is Fortinet's centralized management platform that allows organizations to deploy, monitor, and manage FortiClient endpoint security software across their enterprise networks. The system typically handles sensitive security configurations and has elevated privileges across managed endpoints.
Technical Analysis
While Fortinet has not yet released detailed technical information about CVE-2026-35616âlikely to prevent widespread exploitationâthe emergency nature of this patch and the "critical" severity rating suggest this is a high-impact vulnerability. Given that it affects the EMS management server and is being actively exploited, this likely involves either:
- A remote code execution (RCE) flaw that allows unauthenticated attackers to execute commands on the server
- An authentication bypass that grants unauthorized administrative access to the management platform
- A privilege escalation vulnerability that could be chained with other attacks
The fact that attackers are already exploiting this flaw indicates it may be relatively straightforward to exploit once discovered, making rapid patching essential.
Impact & Who's Affected
This vulnerability affects organizations using FortiClient Enterprise Management Server across all industries. The potential impact is severe:
- Complete EMS server compromise: Attackers could gain full control over the management server
- Lateral movement: Compromised EMS servers could provide access to managed endpoints
- Configuration manipulation: Attackers might disable security policies or steal configuration data
- Credential harvesting: EMS servers often store or have access to authentication credentials
- Supply chain implications: Compromised management infrastructure could affect all connected endpoints
What You Should Do
Immediate Actions:
1. Apply the emergency patch immediately - Download and install the latest FortiClient EMS update from Fortinet's support portal
2. Audit EMS server access logs - Look for suspicious authentication attempts or unusual administrative activities
3. Check network segmentation - Ensure your EMS servers are properly isolated from general network traffic
4. Review endpoint policies - Verify that security configurations on managed endpoints haven't been tampered with
Additional Steps:
- Monitor Fortinet's security advisories for additional technical details as they become available
- Consider temporarily restricting network access to EMS servers if immediate patching isn't possible
- Implement additional monitoring on EMS infrastructure until patches are applied
The Bigger Picture
This incident highlights the ongoing challenge of securing management infrastructure. FortiClient EMS servers represent high-value targets because compromising them can provide access to entire endpoint security deployments. The rapid exploitation of this vulnerabilityâbefore most organizations could even become aware of itâdemonstrates how quickly threat actors are weaponizing newly discovered flaws.
This follows a pattern we've seen with other enterprise management platforms becoming prime targets. Organizations should treat security management infrastructure with the same critical priority as domain controllers or other core systems, implementing defense-in-depth strategies and rapid patch management processes.
The weekend emergency patch also underscores Fortinet's recognition of the severityâvendors rarely break normal patch cycles unless the risk is exceptionally high.
Source: BleepingComputer reporting on CVE-2026-35616