Fortinet FortiClient EMS CVE-2026-35616: Another Pre-Auth Bypass, Another Reason to Test Your Perimeter

Fortinet disclosed CVE-2026-35616 this week -- a critical pre-authentication API access bypass in FortiClient EMS with a CVSS score of 9.1. The vulnerability allows an unauthenticated attacker to bypass API access controls and escalate privileges on the management server. Fortinet shipped an out-of-band hotfix for versions 7.4.5 and 7.4.6, with a full patch expected in 7.4.7. Exploitation attempts were observed against honeypots on March 31, 2026 -- days before the patch was public.

If you're running FortiClient EMS, patch now. That part is straightforward and you already know it. But the more important question, the one that matters whether or not you run Fortinet, is this: how did attackers find and exploit this vulnerability days before the vendor's patch was available, and what does that tell us about the security model most businesses rely on?

What CVE-2026-35616 Actually Does

FortiClient EMS (Endpoint Management Server) is the central control plane for Fortinet's endpoint security product. It's how IT teams deploy, configure, monitor, and update the FortiClient agents running on user machines. If you manage a fleet of Fortinet-protected endpoints, EMS is the brain -- and by design, it's reachable over the network so administrators can reach it from the office, from home, and from anywhere clients need to report in.

CVE-2026-35616 breaks the authentication boundary on the EMS API. Pre-authentication API access bypass means exactly what it sounds like: an attacker who has never logged in, never presented credentials, and has no relationship with the EMS at all can craft API requests that the server accepts as if they were authenticated. From there, the attacker can enumerate managed endpoints, pivot to privileged operations, and potentially push configurations or commands to every FortiClient in the managed fleet.

Think about what that means for the real-world blast radius. The EMS is the tool you trust to push security policy to your endpoints. If an attacker controls EMS, they don't have to compromise endpoints one at a time. They control the thing that controls the endpoints. That's a pre-built distribution channel for ransomware, credential harvesters, or any other payload an attacker wants to deliver at scale.

The Pattern We're Seeing in 2026

CVE-2026-35616 is not unique. It's part of a pattern that has dominated the CVE landscape for the last 18 months and shows no sign of slowing down: pre-authentication vulnerabilities in security products themselves. Not the things security products are supposed to protect -- the security products.

In the last year alone, pre-auth or authentication bypass flaws have been disclosed in products from nearly every major perimeter security vendor. VPN appliances. Firewalls. Endpoint management servers. Secure email gateways. Identity providers. The tools companies bought and deployed specifically to defend themselves have repeatedly become the entry points that attackers use.

Why is this happening? Three reasons, all of which matter for how you think about your own security:

1. Security products expose attack surface by design. A firewall has to accept packets from anywhere. A VPN appliance has to be reachable from the internet. An EMS has to be reachable from the endpoints it manages. These products can't hide behind other defenses because they are the defenses. That makes them both high-value targets and naturally exposed.

2. Complexity creates pre-auth attack surface. Modern security products are large, feature-rich applications with dozens of HTTP endpoints, custom protocols, file upload handlers, and authentication layers. Every one of those is a place where a subtle logic flaw can let an attacker in without credentials. And because authentication is often bolted onto these endpoints rather than designed in from the start, it's easy for one endpoint to check credentials correctly and another to forget.

3. Attackers have automated the discovery. Honeypot operators observed exploitation attempts against CVE-2026-35616 on March 31, 2026, days before the patch existed. That's not a coincidence. Well-resourced attacker groups run continuous fuzzing and reverse engineering against every popular security product. They find these vulnerabilities the same way researchers do -- and sometimes faster. The window between "vulnerability exists" and "vulnerability is being exploited" has shrunk to near zero for high-value perimeter products.

The security products you bought to defend your network have become the most reliable place for attackers to find entry points. That's not a theoretical problem. It's the operational reality of 2026.

Why Patching Alone Isn't Enough

Here's the uncomfortable part of this story. When a CVE like this drops, the conventional advice is "patch immediately." That advice is correct, and you should do it. But patching alone addresses only the specific vulnerability that was disclosed. It doesn't tell you anything about:

• Whether attackers already got in during the window before the patch. If exploitation was happening on March 31 and your patch went in on April 5, what happened in between? Do you have logs that would show it? Would you know what to look for?
• Whether similar flaws exist in the same product. Pre-auth bypasses in Fortinet products are a recurring category. CVE-2026-35616 got a CVE number. How many near-misses are still sitting in the codebase waiting to be discovered?
• Whether your other perimeter products have the same class of flaw. FortiClient EMS isn't special. If you're running any internet-facing management console, API gateway, or security orchestration tool, it's worth asking: has anyone tested whether your specific configuration of that product has the same authentication weaknesses?

Patching is a reactive control. It fixes the door you already know about. Penetration testing is the proactive control: someone who thinks like an attacker probing for doors you don't know about yet, in your specific environment, with your specific configuration.

What a Penetration Test Would Have Found

Let's be concrete about what we mean. In a typical external penetration test against a business running Fortinet EMS, here's what we do that a vulnerability scanner doesn't:

Enumerate the actual attack surface

A scanner sees the port and reports the version. We map every exposed endpoint, every HTTP method supported, every parameter accepted, and every response code the server returns under different conditions. We build a complete picture of the attack surface as an attacker would see it, which is almost always larger than what the vendor documentation describes.

Test authentication on every endpoint, not just the login page

The vendor tells you which endpoints require authentication. We verify it. One at a time. Because the gap between "we thought this required authentication" and "it actually requires authentication" is where CVE-2026-35616 lives. And it's where the next one will live too.

Look for logic flaws, not just missing patches

A scanner tells you "this version has CVE-X." A pentester asks "what happens if I send an unusual request to this endpoint?" Different question, completely different results. The flaws that matter most -- pre-auth bypasses, path traversals, SSRF, authorization flaws -- rarely show up as version checks. They show up when someone actively tries to break the system.

Chain findings together

Individual vulnerabilities are less important than what an attacker can do by chaining them. A pre-auth read on one endpoint plus a weak permission check on another plus an SSRF somewhere else can become full administrative compromise. That chain is invisible to scanners and obvious to humans testing with intent.

What Business Leaders Should Actually Do

You don't have to become a Fortinet expert, and you don't have to panic every time a new CVE drops. Here's the short version of the right response:

1. Patch CVE-2026-35616 if you run FortiClient EMS. Today. Then look at your logs for any unusual API activity since March 31. If you can't interpret the logs yourself, get help that can.

2. Inventory your internet-exposed security tools. Not just Fortinet. Every management console, every API, every administrative interface that's reachable from outside your network. Most businesses are surprised how many there are.

3. Ask the uncomfortable question. When was the last time someone actually tried to break into those tools from the outside, with your configuration, without using the vendor's happy-path documentation? If the answer is "never" or "a scanner did it," that's a gap that this week's CVE makes more expensive to ignore.

4. Plan for external penetration testing at a real cadence. Annual is the minimum for most businesses. More often if you have high-value data, regulatory pressure, or a lot of internet-facing infrastructure. And the test has to be a real engagement -- not a vendor scanner wearing a pentest hat.

5. Stop treating your perimeter security products as uniformly trustworthy. The pattern is clear: the products you bought to keep attackers out are one of the ways attackers get in. Treat them with the same skepticism you'd apply to any other piece of software running in your environment.

The Bigger Picture

CVE-2026-35616 will be patched, written about, and forgotten within a month. Another pre-auth bypass will take its place. This is the rhythm of 2026 security: fast-moving disclosures, shrinking patch windows, and attackers who routinely get inside before defenders get notified. Vulnerability exploitation has overtaken phishing as the primary method of initial access in most incident response reports. That shift isn't a blip. It's the new reality.

The businesses that weather this pattern without scrambling every week are the ones that already know where their perimeter is weak, because they've had someone test it. They're the ones that see the CVE disclosure and think "we checked for this class of flaw eight weeks ago, here's our action plan" instead of "we need to drop everything and figure out if we're exposed."

A real penetration test won't find every future vulnerability. But it will find the ones that already exist in your environment, show you which of your controls are holding up under adversarial pressure, and tell you where your blind spots are before someone else finds them for you. That's the difference between a security program that reacts to the news cycle and one that's actually ahead of it.

Your Fortinet patch window closes when you hit "apply update." Your exposure window closes when you know what else in your environment looks like CVE-2026-35616 and nobody has noticed yet.