CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks

Pierluigi Paganini
May 28, 2026

A critical FortiClient Endpoint Management Server (EMS) vulnerability patched in April has been exploited in fresh attacks to deploy information-stealing malware, Arctic Wolf reports.

The flaw, tracked as CVE-2026-35616 (CVSS score of 9.1), can be exploited remotely via crafted requests for remote code execution (RCE) and does not require authentication.

Threat actors are exploiting a critical FortiClient EMS flaw, tracked as CVE-2026-35616, to deploy malware on unpatched systems.

Threat actors are exploiting a critical FortiClient EMS vulnerability, tracked as CVE-2026-35616 (CVSS score of 9.1), that allows remote code execution without authentication. Fortinet released fixes in April after confirming zero-day attacks in the wild and urged customers to patch immediately.

The flaw is an improper access control issue that allows attackers to bypass authentication through an API and escalate privileges, posing a serious risk to affected systems.

In May 2026, Arctic Wolf identified attacks targeting systems managed by FortiClient EMS. Attackers used a fake Fortinet patch that actually delivered a credential-stealing malware named EKZ Infostealer. The malware collected browser credentials, stored them in log files, and exfiltrated them over HTTP. Researchers believe threat actors abused FortiClient’s own management features to push malicious PowerShell commands to managed endpoints, turning every connected device into a potential target.

“When specially crafted HTTP requests are sent to certain FortiClient EMS endpoints without valid credentials, the requests are processed as if they were legitimate administrative actions. From that point onward, threat actors can interact with EMS functionality that would normally require administrative access.” reads the report published by Arctic Wolf. “Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell.”

Fortinet released out-of-band patches for the critical FortiClient EMS vulnerability in early April. Fortinet confirmed active exploitation of the flaw and urges users of FortiClient EMS 7.4.5 and 7.4.6 to install available hotfixes. A permanent fix will also be included in version 7.4.7.

“An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” reads the advisory published by Fortinet. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6”

In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon