FortiClient EMS Will Now Execute Code With No Authentication. PAN-OS GlobalProtect Will Now Let You In With No Credentials. The Perimeter Vendors Just Shipped The Bleed.

This week the two largest perimeter vendors in enterprise security each shipped a vulnerability that turns their own product into the breach. Fortinet patched CVE-2026-35616, a pre-authentication API access bypass in FortiClient EMS scoring a 9.1 critical, which the discoverers at Defused Cyber observed under active zero-day exploitation since early April 2026 — roughly two months before the public advisory. Palo Alto Networks updated their advisory for CVE-2026-0257, a GlobalProtect authentication bypass scoring 7.8 medium, on May 29 to confirm what their initial May 13 disclosure deliberately did not state out loud, which is that unpatched systems are now seeing limited active exploitation attempts. Both bugs sit on the management plane of products explicitly marketed to keep adversaries out of an organization's perimeter. Both bugs are credential-free. Both bugs ship with credential stealers attached to the post-exploitation chain.

The vendor messaging on both is exactly the polished tone an enterprise procurement officer has trained themselves to hear as routine. Patch cadence. Severity classification. Responsible disclosure timeline. Customer notification through the normal channels. The polish is the problem. The two products in question are not point solutions for a niche workload. FortiClient EMS is the central management console that operates an organization's entire Fortinet endpoint estate. GlobalProtect is the VPN portal that authenticates every remote worker into the corporate network. The procurement officer who signed those contracts signed them because the vendor's pitch deck promised perimeter defense as a service. The contract did not anticipate that perimeter defense as a service would, on a particular Tuesday in May, ship a hotfix that reads in plain English as "until you apply this, anybody on the internet can run code on your endpoint management plane without authentication."

What Fortinet Shipped

CVE-2026-35616 is an improper access control vulnerability in FortiClient EMS, versions 7.4.5 through 7.4.6, classified under CWE-284. Fortinet's advisory language describes it as a flaw that "may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests." Defused Cyber, the disclosing party, observed in-the-wild exploitation in early April 2026, with continued active attacks documented through May 2026. The attacker tradecraft on the post-compromise side is unsubtle and well-documented. The threat actor disguises a credential-stealer payload as a legitimate Fortinet endpoint update. PowerShell silently executes the payload. The actor then modifies the management console's configuration to suppress firmware upgrade warnings — the standard way an administrator would have noticed something was wrong — and alters remote access profiles to maintain persistence.

The two-month gap between observed exploitation and public advisory is the part of this story worth dwelling on. Defused Cyber's researcher Simo Kohonen, working with Nguyen Duc Anh, identified the flaw and reported it through Fortinet's coordinated disclosure process. Fortinet then sat on the public advisory long enough for the active campaign to continue against unpatched customers. Fortinet's calculus here is the same calculus every large vendor uses on every disclosure timeline, which is that responsible disclosure norms allow the vendor a window to prepare a patch before the bug becomes public. The norms do not require the vendor to disclose that the bug is already under active exploitation. The norms do not require the vendor to notify their customers that the bug is already under active exploitation. The norms allow the vendor to ship the patch with a measured-tone advisory, classify the severity in vendor-preferred language, and let the customer infer the urgency from whatever channels they were already monitoring.

The hotfix is available. Customers running FortiClient EMS 7.4.5 or 7.4.6 should be on 7.4.7 or later by the time they read this. Customers running prior versions are not affected by the specific CVE but should pull their build sequence forward anyway because they are running an unsupported tier of a security product, which is a separate problem of comparable severity.

What Palo Alto Shipped

CVE-2026-0257 is an authentication bypass in GlobalProtect portal and gateway, scoring 7.8. Palo Alto Networks' technical description is precise enough to read as confession. The flaw allows an attacker to "bypass security restrictions and establish an unauthorized VPN connection" when authentication override cookies are enabled in combination with specific certificate configurations. The two conditions are common enough in real deployments that the bug is exploitable against a meaningful slice of GlobalProtect customers without any prior reconnaissance. The May 29 advisory update is the part that should have led the original May 13 disclosure. Palo Alto now states that limited exploit attempts have been observed against unpatched systems in active use. The original advisory's medium-severity classification is doing real work obscuring how exploitable a "limited exploit attempts" pattern actually becomes once the technical detail is in researcher hands.

The historical pattern at Palo Alto is worth naming because the author of this post worked at Palo Alto Networks earlier in his career. The vendor's disclosure cadence on GlobalProtect specifically has a recognizable shape. Initial advisory at medium severity with restrained language about conditions of exploitability. Quiet update to the advisory days or weeks later confirming active exploitation. Public-facing customer communication that asks the customer to read the updated advisory rather than treating the update as a fresh material disclosure. The pattern is not unique to Palo Alto and it is not malicious. It is the path of least vendor friction. The customer reading the May 13 advisory got the technical detail. The customer not reading the May 29 update is now running a GlobalProtect portal that an unauthenticated attacker can establish a VPN connection through. The two customers are running the same software. They are not running the same risk posture because one of them was on the mailing list and the other was not.

GlobalProtect customers should apply the patched version, confirm whether authentication override cookies are enabled in their configuration, and audit the certificate side of the deployment for the specific conditions named in the advisory. The advisory contains the version-by-version remediation table. The audit of authentication override cookies is the part that the patch alone does not resolve, because the cookie configuration is a customer-managed setting and the patch closes the bypass but does not change the cookie defaults.

The Soft Surface Is The Perimeter Now

We have been writing the soft-surface-bleed frame for most of May 2026. The original framing distinguished the hard perimeter — firewalls, WAFs, edge appliances, EDR — from the soft surfaces, which we defined as the trust paths between systems rather than the security boundaries within systems. The npm publish path. The GitHub Actions workflow boundary. The VS Code Marketplace extension pipeline. The supply-chain trust model that Mini-Shai-Hulud and the Nx Console compromise exploited and that CISA formally classified as a vulnerability surface yesterday with CVE-2026-45321 and CVE-2026-48027.

This week's Palo and Fortinet disclosures collapse the distinction. The perimeter vendor's management plane is the soft surface. The product an organization buys to harden its perimeter is itself the bleed. The FortiClient EMS pre-authentication RCE turns an organization's endpoint management console into an unauthenticated attacker's command execution surface. The PAN-OS GlobalProtect authentication bypass turns the VPN portal that authenticates remote workers into a portal that authenticates remote workers and the adversary alike. The procurement-tier mental model — pay the vendor, the vendor handles the perimeter — has been the dominant enterprise security posture for two decades. The mental model assumes that the vendor's product itself does not require the same continuous, paranoid, instrumented attention as the rest of the stack. The two CVEs this week say the assumption is wrong.

The defender posture this implies is not novel. It is the posture every operational security team already runs against the rest of their infrastructure. Monitor outbound traffic from your perimeter products with the same diligence you monitor outbound traffic from your endpoints. Audit the management plane configurations on a fixed cadence rather than only when an advisory drops. Maintain an offline rotation plan for the credentials that your management plane caches, because the moment a CVE like this lands, every credential that touched that management plane is a credential the post-exploitation chain has already had two months to harvest. Subscribe to the vendor's security advisory mailing list, but treat the mailing list as a thirty-day-late signal rather than an authoritative source on what your perimeter is doing today. Set a calendar reminder once a quarter to manually pull the advisory list for every perimeter vendor in your stack and read every entry from the previous quarter, not just the ones that came through your inbox.

The Adjacent Reads This Week

The Fortinet and Palo CVEs are not in isolation. The Hacker News this week reported a critical RCE in Gogs that scores 9.4 and lets any authenticated user execute arbitrary code via malicious branch names — same management-plane attack class, different vendor stratum. The Marimo CVE-2026-39987 disclosure walked through how attackers used an LLM agent to conduct post-compromise hands-on-keyboard activity after exploiting publicly accessible Marimo notebooks, which is the first widely-reported case of LLM-in-the-loop tradecraft against a CVE in our reading. North Korea's Kimsuky group, which we have profiled previously and which has 587 prior IOC hits in our index, expanded its arsenal this week with HTTPSpy and the abuse of VS Code Tunnels for command and control — another perimeter-tier trust path turned into a soft surface. A previously undocumented Russia-linked threat group named GREYVIBE was disclosed by both BleepingComputer and The Hacker News in dual-source coverage, conducting AI-powered spear-phishing and fake-CAPTCHA campaigns against Ukraine. Our adversaries index returned zero prior hits on GREYVIBE — a named net-new actor we will be back-filling against during the next operator-profile pass.

The Fortinet and Palo disclosures are the loud ones because the brands are large and the deployment footprints are enormous. The Gogs, Marimo, Kimsuky, and GREYVIBE items are the quiet ones because the brands and footprints are smaller. The shape is the same. The perimeter vendor and the management plane and the trust path between systems are the surfaces under active exploitation in 2026. The procurement-tier mental model treats those surfaces as the part of the stack that does not require attention. The operator-tier mental model treats them as the most-attended surfaces in the entire estate.

What This Costs The Vendor Customer

The honest cost calculation for a Fortinet customer in May 2026 is the two-month exploitation window plus the rotation cost on every credential the management plane touched plus the audit cost on every configuration the management plane was authoritative over, plus whatever data the credential stealer harvested before the patch landed, plus whatever lateral movement the attacker has already established through the modified remote access profiles. The advisory does not enumerate this cost because the advisory's job is to ship the patch, not to itemize the customer's downstream remediation bill. The customer who reads only the advisory underestimates the remediation by an order of magnitude.

The honest cost calculation for a GlobalProtect customer is smaller because the exploitation window is shorter and the in-the-wild exploitation activity Palo confirmed on May 29 is described as "limited." The qualifier is doing a lot of work. Limited means the technical detail is now circulating among researchers who write technical detail. Two weeks from now the qualifier is no longer accurate. The patch window between today and that horizon is the entire remediation window the customer has.

We do not run FortiClient EMS or GlobalProtect in our shop, so we do not have a remediation bill to itemize this week. What we have is the receipt of two vendor disclosures within seventeen days of each other that turn the products explicitly marketed as perimeter defense into the breach. The pattern is not going away. The vendor messaging will continue to use the polished tone. The customer mental model will continue to treat the perimeter as the part of the stack that does not require attention. The operator population running these advisories under the polished tone will continue to harvest, persist, and pivot. The receipt is the same receipt every quarter. The pattern is the pattern.

Two CVEs, two vendors, one surface. Patch your perimeter products. Rotate the credentials. Audit the configurations. Set the quarterly reminder. The advisory mailing list is not the radar. Your own audit cadence is the radar.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com