CVE-2026-35616 FortiClient EMS Flaw Actively Exploited in Malware Attacks
CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks
A critical FortiClient Endpoint Management Server (EMS) vulnerability patched in April has been exploited in fresh attacks to deploy information-stealing malware, Arctic Wolf reports. 🚨
The flaw, tracked as CVE-2026-35616 (CVSS score of 9.1), can be exploited remotely via crafted requests for remote code execution (RCE) and does not require authentication.
In May 2026, Arctic Wolf identified attacks targeting systems managed by FortiClient EMS. Attackers used a fake Fortinet patch that actually delivered a credential-stealing malware named EKZ Infostealer. The malware collected browser credentials, stored them in log files, and exfiltrated them over HTTP. Researchers believe threat actors abused FortiClient’s own management features to push malicious PowerShell commands to managed endpoints, turning every connected device into a potential target. 💻
Fortinet released out-of-band patches for the critical FortiClient EMS vulnerability in early April. Fortinet confirmed active exploitation of the flaw and urges users of FortiClient EMS 7.4.5 and 7.4.6 to install available hotfixes. A permanent fix will also be included in version 7.4.7. 🔒