Who watches the software that watches your endpoints? Fortinet has quietly answered that question this week by issuing out-of-band patches for a critical flaw in FortiClient EMS that it says has already been exploited in the wild.
What happened
Fortinet released an out-of-band patch to address a critical vulnerability affecting FortiClient EMS. The flaw is tracked as CVE-2026-35616 and carries a CVSS score of 9.1. According to Fortinet, the vulnerability is a "pre-authentication API access bypass leading to privilege escalation." The company also stated, in its advisory, "An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an"
Current situation
Fortinet characterized the issue as critical and said it has been exploited in the wild. To address the risk, the vendor released fixes outside the normal update cadence—out-of-band patches—indicating an elevated urgency to remediate the issue.
Why it matters
- Severity: A CVSS score of 9.1 signals a high-impact flaw. The description—pre-authentication API bypass with privilege escalation—means an attacker could attempt to gain higher privileges without authenticating first, raising the potential for broad device or network impact.
- Active exploitation: Fortinet’s statement that the vulnerability has been exploited in the wild elevates this from theoretical risk to active threat, altering how organizations assess immediate priorities.
- Supply-chain and management implications: FortiClient EMS is a management system for endpoint software. Vulnerabilities in such centralized tools can affect many endpoints under a single administration point, which concentrates both risk and responsibility for rapid response.
- Operational urgency: The decision to issue out-of-band patches reflects a vendor judgment that delaying fixes until the next scheduled update could leave customers exposed while exploits circulate.
Perspectives to consider
Technologists will read the combination of a high CVSS score, pre-authentication bypass semantics, and confirmed exploitation as a prompt to prioritize assessment and mitigation of any affected deployments. Users and administrators of FortiClient EMS may face immediate operational choices about deploying the out-of-band patch, balancing risk and potential disruption.
For policymakers and risk managers, the incident reinforces the systemic challenge of securing centralized management tools and the tempo mismatch that can occur between discovery, exploitation, and remediation. Adversaries benefit from any delay between disclosure and patching; the vendor’s statement that the flaw was exploited in the wild underscores that reality.
Fortinet’s advisory and its decision to push an out-of-band fix make clear the company’s assessment of the flaw’s seriousness. Beyond that, the situation is a reminder that vulnerabilities in the software that manages security tools themselves can become high-value targets.
Will organizations treat this as another routine update or as a call to re-evaluate how quickly they can detect, test and apply emergency patches to centralized management systems?




