If you manage a business, a small team, or run a project with devices under Fortinet management, you’ll want to read this. A newly disclosed zero-day in Fortinet FortiClient EMS is being actively exploited in the wild. The vulnerability is CVE-2026-35616, and Fortinet has issued an emergency hotfix while a broader patch is developed. This is a reminder that critical flaws can move fast and your patch cadence matters more than ever.
What happened
Fortinet disclosed an actively exploited zero-day affecting FortiClient EMS, the endpoint management tool used to configure and manage Fortinet client devices. The vulnerability has a high severity rating, and Fortinet and security researchers have noted in advisories that in-the-wild exploitation has been observed. A hotfix has been released, and a more comprehensive update is planned, but organizations should treat this as a high-priority risk right now. Details may evolve as more information becomes available.
Why it matters
This is a reminder that management tooling sits at a high value target for attackers. FortiClient EMS is often used to push configurations, updates, and security policies to endpoints. If an attacker can exploit a flaw in EMS, there’s potential for broader access to managed devices. That matters whether you’re a small business, a creator with a team, or an IT pro keeping a handful of devices in check. Quick action reduces exposure and helps prevent widespread impact.
Practical steps you can take
- Identify exposure: Check whether FortiClient EMS is deployed in your environment and which versions are present. List all endpoints that are managed by EMS.
- Apply the hotfix: If you’re already seeing the Fortinet advisory for CVE-2026-35616, apply the emergency hotfix as soon as possible. Monitor Fortinet sources for guidance on the full patch timeline.
- Patch and update strategy: Plan to deploy the full update when it becomes available. Test in a small cohort if you can, then roll out widely.
- Harden access: Restrict EMS access to trusted networks and VPNs. Enforce MFA for all Fortinet admin accounts if not already in place.
- Increase monitoring: Look for unusual authentication attempts, EMS configuration changes, or mass updates to endpoints. Review EMS logs for any unfamiliar activity.
- Backup and incident response: Ensure recent backups are intact and offline where possible. Have an incident response plan ready in case an endpoint is compromised.
Final thought
Staying on top of patching for critical management tools like FortiClient EMS is precisely how you keep small teams and growing projects safer online. Set a quick review, verify you’re within scope for the hotfix, and prepare to apply the full patch when it’s released. If you’re unsure where to start, start with your EMS inventory and move from there—small, deliberate steps add up fast.