Critical FortiClient EMS Vulnerability Exploited in Fresh Attacks

Critical FortiClient EMS Vulnerability Exploited in Fresh Attacks

https://www.securityweek.com/critical-forticlient-ems-vulnerability-exploited-in-fresh-attacks/

Publish Date: 2026-05-28 08:55:47

Source Domain: www.securityweek.com

Summary

A critical vulnerability in FortiClient Endpoint Management Server (EMS), rated with a CVSS score of 9.1 and tracked as CVE-2026-35616, has been exploited in the wild just a few months after Fortinet released a patch in April. The exploit can allow remote code execution using crafted requests without requiring authentication. The vulnerability was used to deploy the EKZ Infostealer malware via fake Fortinet endpoint patches in campaigns targeting unpatched deployments. The attacks exploited FortiClient’s VPN scripting workflows, pushing malicious PowerShell commands to managed endpoints. The malware specifically targets Chromium and Gecko-based browsers to steal credentials, cookies, and autofill data which are then exfiltrated over HTTP. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) classified this defect as a Known Exploited Vulnerability on April 6, urging all organizations to promptly install this patch.

Key Points:

• A severe FortiClient EMS vulnerability, CVE-2026-35616, can lead to remote code execution; it was patched in April but already exploited.
• EKZ Infostealer malware is being deployed via fake Fortinet endpoint patches targeting unpatched installations.
• The attacks utilize FortiClient’s VPN scripting with PowerShell commands executed under legitimate management operations.
• Stolen data from Chrome, Edge, Firefox, and other compatible browsers are exfiltrated over HTTP.
• Immediate patching is advised as the vulnerability has been added to CISA’s list of Known Exploited Vulnerabilities.