critical

New FortiClient EMS flaw exploited in attacks, emergency patch released

April 6, 2026·BleepingComputer·Threat Intel
fortinetvulnerabilityzero-dayenterprise-managementcritical-patch

Fortinet Issues Emergency Patch for Actively Exploited FortiClient EMS Vulnerability

TL;DR

Fortinet released an emergency security update over the weekend for CVE-2026-35616, a critical vulnerability in FortiClient Enterprise Management Server (EMS) that attackers are actively exploiting in the wild. Organizations using FortiClient EMS should apply the patch immediately as this flaw could enable complete system compromise.

What Happened

According to BleepingComputer's reporting, Fortinet pushed out an unscheduled security patch on April 5th for a newly discovered critical vulnerability in FortiClient Enterprise Management Server. The vulnerability, tracked as CVE-2026-35616, is already being exploited by threat actors in active attacks, prompting the vendor to break their normal patch cycle and issue an emergency weekend update.

FortiClient EMS is Fortinet's centralized management platform that allows organizations to deploy, monitor, and manage FortiClient endpoint security software across their enterprise networks. The system typically handles sensitive security configurations and has elevated privileges across managed endpoints.

Technical Analysis

While Fortinet has not yet released detailed technical information about CVE-2026-35616—likely to prevent widespread exploitation—the emergency nature of this patch and the "critical" severity rating suggest this is a high-impact vulnerability. Given that it affects the EMS management server and is being actively exploited, this likely involves either:


The fact that attackers are already exploiting this flaw indicates it may be relatively straightforward to exploit once discovered, making rapid patching essential.

Impact & Who's Affected

This vulnerability affects organizations using FortiClient Enterprise Management Server across all industries. The potential impact is severe:


What You Should Do

Immediate Actions:
1. Apply the emergency patch immediately - Download and install the latest FortiClient EMS update from Fortinet's support portal
2. Audit EMS server access logs - Look for suspicious authentication attempts or unusual administrative activities
3. Check network segmentation - Ensure your EMS servers are properly isolated from general network traffic
4. Review endpoint policies - Verify that security configurations on managed endpoints haven't been tampered with

Additional Steps:


The Bigger Picture

This incident highlights the ongoing challenge of securing management infrastructure. FortiClient EMS servers represent high-value targets because compromising them can provide access to entire endpoint security deployments. The rapid exploitation of this vulnerability—before most organizations could even become aware of it—demonstrates how quickly threat actors are weaponizing newly discovered flaws.

This follows a pattern we've seen with other enterprise management platforms becoming prime targets. Organizations should treat security management infrastructure with the same critical priority as domain controllers or other core systems, implementing defense-in-depth strategies and rapid patch management processes.

The weekend emergency patch also underscores Fortinet's recognition of the severity—vendors rarely break normal patch cycles unless the risk is exceptionally high.

Source: BleepingComputer reporting on CVE-2026-35616

← All Threat IntelSource: BleepingComputer