A critical vulnerability in Fortinet’s FortiClient Endpoint Management Server (EMS) is under active exploitation, with attackers using the flaw to deliver a custom credential stealer to managed enterprise endpoints — packaged to look like a legitimate Fortinet software update. The vulnerability, CVE-2026-35616, carries a CVSS score of 9.1 and enables unauthenticated attackers to bypass API authentication entirely, achieving code execution on the server without valid credentials.
CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on April 6, 2026. Despite that public listing and Fortinet’s own advisory, Arctic Wolf identified an active exploitation campaign in May 2026 in which attackers were abusing the flaw to push malware to endpoints managed through the vulnerable EMS.
The Vulnerability
CVE-2026-35616 is an improper access control flaw in the FortiClient EMS API layer. The EMS is the centralized management platform that enterprises use to deploy, configure, and update Fortinet endpoint security agents across their device fleets. It is a high-value target because it sits at the top of the management hierarchy — an attacker who controls the EMS controls every endpoint registered to it.
The vulnerability allows an unauthenticated attacker to send crafted requests to the EMS API that bypass all authentication and authorization checks. From there, the attacker can execute commands on the underlying server without any valid credentials or user interaction.
Affected versions: FortiClient EMS 7.4.5 and 7.4.6
watchTowr, the threat research firm that identified exploitation of this vulnerability in the wild, first detected active attacks on March 31, 2026 — before Fortinet had published its advisory. Fortinet released its advisory on April 4, 2026, and CISA added the vulnerability to the KEV catalog on April 6. The window between initial exploitation and public disclosure was approximately five days.
The Malware Campaign
When Arctic Wolf investigated the May 2026 exploitation wave, the pattern was consistent: attackers were using CVE-2026-35616 to compromise the EMS, then using their administrative position to push a malicious payload to managed endpoints through the legitimate software distribution channel.
The payload — dubbed EKZ Infostealer — was packaged to look exactly like a Fortinet endpoint update. It arrived through the normal EMS update mechanism. From an endpoint’s perspective, the agent received a software update from its management server — a routine event that triggers no alerts and requires no user interaction.
Once installed, EKZ Infostealer:
- Harvests stored credentials from browsers and credential stores
- Extracts saved passwords, session cookies, and authentication tokens
- Enumerates network configurations and connected resources
- Transmits collected data to attacker-controlled infrastructure
The delivery mechanism is what makes this campaign particularly dangerous. In environments where EMS-distributed updates are trusted by endpoint security tools — which they commonly are, to avoid blocking legitimate management activity — EKZ Infostealer installs and runs without triggering behavioral alerts. Detection requires either network-level monitoring of EMS command traffic or endpoint-level analysis that looks for anomalies in the update chain itself.
Why EMS Is Such a High-Value Target
FortiClient EMS is the nerve center of Fortinet’s endpoint security architecture. Organizations that deploy it have typically centralized their endpoint configuration, policy enforcement, and software update infrastructure through it. A compromised EMS is functionally equivalent to compromising every endpoint it manages — the attacker can push arbitrary code to every registered device in the fleet.
For large enterprises with thousands of managed endpoints, the blast radius of an EMS compromise is enormous. An attacker who can push malicious updates silently through legitimate channels has defeated the entire endpoint security stack from above.
This is also why Fortinet infrastructure has been a persistent target for sophisticated threat actors. FortiGate SSL VPNs have been exploited repeatedly since 2019, with nation-state actors including Chinese and Russian APTs using Fortinet vulnerabilities as initial access vectors for broader network intrusions. CVE-2026-35616 fits the same pattern: a high-severity vulnerability in management-tier infrastructure that provides outsized leverage once compromised.
Remediation
Fortinet has released a hotfix for FortiClient EMS that can be applied while waiting for the full software update. A complete patch is expected in FortiClient EMS 7.4.7.
Immediate steps for affected organizations:
- Apply the hotfix immediately — do not wait for the full software release if your environment runs EMS 7.4.5 or 7.4.6
- Audit EMS logs for unauthorized API calls, especially from external IP addresses or unexpected source addresses
- Review the EMS-pushed update history — if any unexpected updates were distributed to endpoints in the April–May 2026 window, investigate those updates for malicious payloads
- Rotate credentials on all managed endpoints and on the EMS server itself
- Check endpoint telemetry for signs of EKZ Infostealer activity: unusual outbound connections, credential store access, or new processes spawned via the Fortinet agent
Given that CISA added this vulnerability to the KEV catalog in April and exploitation continues in May, any organization running the affected versions that has not yet patched should treat remediation as a critical incident, not a routine update.
Sources
- watchTowr — FortiClient EMS Zero-Day CVE-2026-35616 Active Exploitation
- Arctic Wolf — FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer
- The Hacker News — Fortinet Patches Actively Exploited CVE-2026-35616
- SecurityAffairs — CVE-2026-35616 FortiClient EMS Flaw Actively Exploited
- runZero — Fortinet FortiClient EMS Vulnerability CVE-2026-35616
