A recently patched vulnerability in the FortiClient Endpoint Management Server (EMS) is being actively exploited to install information-stealing malware, according to a report by Arctic Wolf. The flaw, identified as CVE-2026-35616 and scoring 9.1 on the CVSS scale, allows for remote code execution without requiring authentication.
Details of the Vulnerability
In early April, Fortinet issued patches for this critical security flaw, which had already been exploited as a zero-day. The company urged users to apply these updates immediately to prevent potential attacks. Despite these warnings, unpatched FortiClient EMS instances are now being targeted by threat actors deploying the EKZ Infostealer.
The attackers are leveraging FortiClient-managed VPN scripting workflows, using command scripts that employ PowerShell, indicating a deep understanding of the targeted environments. According to Arctic Wolf, the attack method involves using FortiClient’s management pathways to deliver malicious commands, mimicking legitimate operations.
Impact on Managed Endpoints
FortiClient EMS serves as a centralized platform for managing FortiClient devices, policies, and configurations. As a result, once attackers gain access, they can execute malicious code across all managed endpoints. The deployed malware specifically targets browsers like Chrome, Microsoft Edge, and Firefox, extracting credentials, cookies, and autofill data, which are then exfiltrated via HTTP.
Arctic Wolf notes that the malware does not exfiltrate network-based credentials but instead exports browser credentials to a log file. Executed without specific arguments, it provides command-line usage instructions.
Urgent Need for Patching
Organizations are strongly advised to implement Fortinet’s patches for CVE-2026-35616 immediately. This vulnerability was added to the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) list on April 6, underscoring its critical nature.
Staying ahead of such vulnerabilities is vital for maintaining cybersecurity. Recent related incidents include the exploitation of the LiteSpeed cPanel Plugin zero-day and the KnowledgeDeliver vulnerability, highlighting the constant threat landscape.
As cyber threats evolve, timely patching and monitoring of security advisories remain key strategies in safeguarding organizational data and infrastructure.
