Analysis
Fortinet disclosed CVE-2026-35616 on April 4, 2026: a 9.1 CVSS pre-authentication API access bypass in FortiClient Endpoint Management Server that leads directly to privilege escalation. Two days later, CISA added it to the Known Exploited Vulnerabilities catalog — the federal agency's formal signal that in-the-wild exploitation has been confirmed.
What an EMS compromise actually means
FortiClient EMS is the management plane for a FortiClient endpoint fleet. It issues VPN profiles, pushes ZTNA policy, distributes antivirus updates, and holds inventory of every endpoint under its control. An attacker who reaches administrative API access on EMS does not need to compromise individual endpoints one by one. They compromise the authority that tells every endpoint what to trust.
The practical consequences, in order of escalating impact:
- Enumerate every endpoint in the environment, its OS version, and its patch state — a reconnaissance gift.
- Push a crafted VPN profile that routes traffic through an attacker-controlled gateway.
- Issue ZTNA policies that grant specific endpoints (or all of them) access to resources they should not have.
- Distribute a malicious software package through the EMS-managed deployment channel — reaching every managed endpoint with the trust level of a legitimate IT push.
The “security product as attack surface” pattern
CVE-2026-35616 is the latest in a multi-year sequence: security products, sold specifically to protect endpoints, repeatedly turn out to contain pre-authentication vulnerabilities on their own management planes. FortiOS, Fortinet SSL-VPN, Ivanti Connect Secure, SonicWall SSL-VPN, and Sophos UTM have all featured on CISA's KEV list. The endpoint-protection and secure-access-gateway segments of the market have a structural problem: the management surface is both highly privileged and frequently exposed to the internet, because operators want to manage their fleet from anywhere.
Your EMS is a higher-value target than any individual endpoint it manages. Protect it accordingly — or expect it to be compromised first.
Mitigation
- Patch now. Fortinet's advisory lists the fixed versions; apply them this week, not next sprint.
- Audit EMS access logs for unfamiliar administrative actions since the earliest date Fortinet identifies for exploitation. If in doubt, assume compromise and rotate every secret EMS has ever held.
- Remove public exposure of the EMS admin API. If remote operators need access, front it with a VPN, Cloudflare Access, or an IP allowlist — not a public-facing TLS endpoint.
- Inventory deployed FortiClient packages and verify their provenance. A compromised EMS could have distributed a backdoored update.
The broader pattern
Pre-authentication bugs on security appliance management planes are not rare events. They are a recurring, structural feature of the market. Organizations that over-index on "we run a commercial security product" as their threat-model justification need to plan for the day that product's management plane is itself the initial access vector. Defense in depth means assuming any single component — including a security product — can be the one that falls first.