CVE-2026-35616: critical Fortinet FortiClient EMS flaw
CVE-2026-35616 (CVSS 9.8) in Fortinet FortiClient EMS is actively exploited and in the CISA KEV. We explain the threat and how to respond.
There’s a bitter irony in cybersecurity: the tools meant to protect us are sometimes the weakest point themselves. CVE-2026-35616 is a critical vulnerability (CVSS 9.8) in Fortinet FortiClient EMS — the central server managing VPN clients and endpoint security. It has been assessed as actively exploited and added to the CISA KEV catalog.
What the problem is
FortiClient EMS (Enterprise Management Server) manages FortiClient deployments across an organisation. A 9.8-rated flaw usually means remote code execution by an unauthenticated attacker — full compromise of the server without logging in. A related SQL injection flaw was also reported (CVE-2026-21643), allowing unauthorised commands via specially crafted HTTP requests.
An added risk: when an exploit is circulating and the full patch is still being finalised, the vendor ships a hotfix — and every hour of delay works in the attacker’s favour.
What to do
- Apply the patch or hotfix indicated by Fortinet — immediately. This is a management server, so compromising it gives access to many endpoints.
- Restrict access to the management interface. The EMS console should not be exposed to the internet — put it behind a VPN or an allowlist.
- Check for signs of a breach — logs, unusual accounts and tasks, vendor IOCs.
- Rotate credentials and review the configuration if the system was publicly reachable.
The broader lesson
Security appliances and servers (VPNs, firewalls, management consoles) are concentrated, high-value targets — one compromise grants access to many systems. So treat them with the highest patching priority and keep them off the public internet. The same “active exploitation first” principle recurs in our piece on vulnerability prioritisation, and fast patching of edge systems is one of the pillars of defence against ransomware.
If you’d like to review the exposure of your edge systems, get in touch.
Sources and further reading: CISA KEV, Fortinet PSIRT, The Hacker News.