Fortinet Patches Critical Security Vulnerability in FortiClient EMS

Fortinet released out-of-band patches for a critical security vulnerability (CVE-2026-35616, CVSS score: 9.1) affecting FortiClient EMS, which has been actively exploited in the wild. The flaw is classified as an improper access control vulnerability (CWE-284) that enables pre-authentication API access bypass, leading to privilege escalation. No specific attack vectors, threat actors, or affected versions were detailed beyond the vulnerability’s classification. The patch addresses the issue, though the exact timeline of exploitation or patch release remains unspecified. The vulnerability was publicly disclosed by Fortinet as part of an urgent security notice.