CVE-2026-35616 is a critical (CVSS 9.1) pre-authentication remote code execution zero-day in Fortinet FortiClient EMS — the management server that pushes endpoint-security policy to every FortiClient-managed device in an organisation. An unauthenticated attacker who reaches the EMS API can bypass all authentication and authorisation controls, execute arbitrary code on the server, and take command over […]
