Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
FortiClient EMS Flaw Exploited to Spread Malware

FortiClient EMS Flaw Exploited to Spread Malware

Posted on May 28, 2026 By CWS

A recently patched vulnerability in the FortiClient Endpoint Management Server (EMS) is being actively exploited to install information-stealing malware, according to a report by Arctic Wolf. The flaw, identified as CVE-2026-35616 and scoring 9.1 on the CVSS scale, allows for remote code execution without requiring authentication.

Details of the Vulnerability

In early April, Fortinet issued patches for this critical security flaw, which had already been exploited as a zero-day. The company urged users to apply these updates immediately to prevent potential attacks. Despite these warnings, unpatched FortiClient EMS instances are now being targeted by threat actors deploying the EKZ Infostealer.

The attackers are leveraging FortiClient-managed VPN scripting workflows, using command scripts that employ PowerShell, indicating a deep understanding of the targeted environments. According to Arctic Wolf, the attack method involves using FortiClient’s management pathways to deliver malicious commands, mimicking legitimate operations.

Impact on Managed Endpoints

FortiClient EMS serves as a centralized platform for managing FortiClient devices, policies, and configurations. As a result, once attackers gain access, they can execute malicious code across all managed endpoints. The deployed malware specifically targets browsers like Chrome, Microsoft Edge, and Firefox, extracting credentials, cookies, and autofill data, which are then exfiltrated via HTTP.

Arctic Wolf notes that the malware does not exfiltrate network-based credentials but instead exports browser credentials to a log file. Executed without specific arguments, it provides command-line usage instructions.

Urgent Need for Patching

Organizations are strongly advised to implement Fortinet’s patches for CVE-2026-35616 immediately. This vulnerability was added to the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) list on April 6, underscoring its critical nature.

Staying ahead of such vulnerabilities is vital for maintaining cybersecurity. Recent related incidents include the exploitation of the LiteSpeed cPanel Plugin zero-day and the KnowledgeDeliver vulnerability, highlighting the constant threat landscape.

As cyber threats evolve, timely patching and monitoring of security advisories remain key strategies in safeguarding organizational data and infrastructure.

Security Week News Tags:browser data theft, CISA, CVE-2026-35616, Cybersecurity, FortiClient, InfoStealer, Malware, Patching, PowerShell, RCE, remote code execution, security flaw, Vulnerability, zero-day

Post navigation

Previous Post: Enterprise AI Usage: Risks Centralized Among Power Users
Next Post: Hackers Exploit Networks for JavaScript Malware

Related Posts

Australia Enforces Ransomware Payment Reporting Australia Enforces Ransomware Payment Reporting Security Week News
FortiClient EMS Flaw Exploited to Spread Malware Gitea Vulnerability Exploited Actively, Experts Alert Security Week News
Zyxel Resolves Critical Security Flaw in Multiple Devices Zyxel Resolves Critical Security Flaw in Multiple Devices Security Week News
In Other News: Norway Dam Hacked, 7M Data Breach Settlement, UNFI Attack Update In Other News: Norway Dam Hacked, $177M Data Breach Settlement, UNFI Attack Update Security Week News
Censys Secures M to Boost Internet Intelligence Censys Secures $70M to Boost Internet Intelligence Security Week News
146,000 Impacted by Delta Dental of Virginia Data Breach 146,000 Impacted by Delta Dental of Virginia Data Breach Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark