Hackers Are Exploiting FortiClient EMS Right Now — CVE-2026-35616 Delivers a Brand New Infostealer

What Is CVE-2026-35616?

If your organization uses FortiClient Enterprise Management Server, stop reading this article and go patch your systems. Then come back and read why. CVE-2026-35616 is a critical authentication bypass vulnerability in Fortinet’s FortiClient EMS product that carries a CVSS score of 9.1 out of 10. The flaw allows unauthenticated attackers to send crafted requests to the FortiClient EMS API, bypassing all authentication and authorization protections to achieve remote code execution without valid credentials.

That is about as bad as vulnerabilities get. An attacker does not need a username, a password, or any form of authentication — they just need network access to your FortiClient EMS instance. And the vulnerability is not theoretical: it has been actively exploited in the wild since at least March 31, 2026, before Fortinet even published its advisory.

What makes this particularly dangerous is that FortiClient EMS is a management platform — it controls and monitors endpoint security agents across an organization’s entire fleet of devices. Compromising the EMS server gives attackers a foothold that can be leveraged to access every endpoint managed by the system. It is the cybersecurity equivalent of stealing the master key to every door in a building.

The Zero-Day Timeline: Attackers Moved First

The timeline of CVE-2026-35616 tells a familiar but deeply troubling story about the state of enterprise vulnerability disclosure. On March 31, 2026, security firm watchTowr’s Attacker Eye sensors detected exploitation activity targeting FortiClient EMS installations — four full days before Fortinet published its security advisory on April 4, 2026.

This means that attackers had discovered and were actively exploiting the vulnerability before the security community even knew it existed. By the time Fortinet issued its advisory, threat actors were already inside affected environments, having used the zero-day window to establish persistent access, exfiltrate credentials, and deploy follow-on payloads.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog on April 6, 2026, just two days after Fortinet’s disclosure. CISA gave federal agencies four days to secure their servers — an unusually tight deadline that reflects the severity and active exploitation of the vulnerability.

EKZ Infostealer: The New Malware Disguised as a Patch

As if the vulnerability itself were not bad enough, attackers have weaponized it with a novel twist that would be almost admirable if it were not so destructive. In May 2026, Arctic Wolf identified a new exploitation campaign where attackers are distributing a previously undocumented credential-stealing malware called EKZ Infostealer — disguised as a legitimate Fortinet security patch.

The irony is devastating. Organizations that are actively trying to protect themselves by applying patches are instead installing malware. The fake patch looks convincing enough to fool system administrators who are rushing to close the vulnerability, creating a cruel trap for exactly the people doing the right thing. This social engineering layer on top of the technical exploit demonstrates a level of sophistication that suggests well-resourced threat actors, possibly nation-state affiliated.

EKZ Infostealer targets stored credentials, browser sessions, authentication tokens, and VPN configurations — essentially everything an attacker would need to move laterally through an enterprise network and maintain persistent access even after the original vulnerability is patched. The malware communicates with command-and-control servers using encrypted channels, making it difficult to detect through standard network monitoring.

How the Attack Works Step by Step

Understanding the attack chain helps organizations recognize indicators of compromise and assess their exposure. The attack proceeds in several stages. First, the attacker identifies exposed FortiClient EMS instances — these are typically accessible on standard ports and can be found through services like Shodan or Censys. Second, the attacker sends specially crafted API requests that exploit the improper access control flaw, bypassing authentication entirely.

Once inside, the attacker has several options. In the initial exploitation campaigns observed by watchTowr, attackers established reverse shells and deployed web shells for persistent access. In the more recent campaigns identified by Arctic Wolf, attackers are delivering the EKZ Infostealer through a fake update mechanism that mimics Fortinet’s legitimate patch distribution process.

The final stage involves credential harvesting and lateral movement. Using the stolen credentials and authentication tokens, attackers can access other systems and services across the organization, potentially reaching databases, file servers, cloud environments, and other high-value targets. The EMS server’s privileged position in the network makes it an ideal pivot point for broader compromise.

Affected Versions and Who Is at Risk

CVE-2026-35616 affects FortiClient EMS versions 7.4.5 through 7.4.6. Organizations running these versions are vulnerable to unauthenticated remote code execution and should treat this as a maximum-priority security event. The vulnerability does not affect older versions of FortiClient EMS, though those versions may have their own unrelated security issues.

FortiClient EMS is widely deployed in enterprise environments across every industry vertical. It is used to manage endpoint security policies, deploy and update FortiClient agents, monitor endpoint compliance, and enforce security configurations. Organizations in healthcare, finance, government, education, and critical infrastructure are particularly at risk given the sensitivity of their data and the regulatory consequences of a breach.

The number of exposed FortiClient EMS instances on the public internet is not publicly known, but Fortinet products are among the most widely deployed network security solutions in the world. Even organizations that have properly segmented their EMS servers behind firewalls may be at risk if attackers can reach them through VPN connections, compromised endpoints, or other internal network access.

CISA Adds CVE-2026-35616 to KEV Catalog

CISA’s decision to add CVE-2026-35616 to the Known Exploited Vulnerabilities catalog carries significant implications for U.S. federal agencies and government contractors. Under Binding Operational Directive 22-01, federal civilian agencies are required to remediate KEV-listed vulnerabilities within specified timeframes — in this case, just four days from the directive’s issuance.

While the KEV mandate only applies directly to federal agencies, CISA strongly recommends that all organizations treat KEV-listed vulnerabilities as high-priority items requiring immediate remediation. Private sector organizations that follow the KEV catalog as a prioritization guide should already have this vulnerability at the top of their patching queue.

The NHS England Digital service also issued a cyber alert about the vulnerability, underscoring its global impact and the particular risk to healthcare organizations where FortiClient EMS manages endpoint security for systems processing sensitive patient data.

Fortinet’s Response and the Hotfix

Fortinet released a hotfix that can be applied while waiting for a full software patch, which is expected in the upcoming FortiClient EMS 7.4.7 release. The hotfix addresses the improper access control flaw but requires manual application, which means organizations need to actively download and install it rather than relying on automatic updates.

This is where the EKZ Infostealer campaign becomes particularly insidious. Attackers know that system administrators will be searching for Fortinet patches, and the fake patch campaign exploits that urgency. Organizations should only download patches directly from Fortinet’s official support portal and verify file hashes before installation.

Fortinet’s advisory also recommends reviewing system logs for signs of exploitation, particularly looking for unusual API calls, unauthorized administrative actions, and unexpected file modifications on the EMS server. Organizations that may have been compromised during the zero-day window should assume breach and conduct thorough incident response investigations.

Why Fortinet Vulnerabilities Keep Getting Exploited

CVE-2026-35616 is not an isolated incident — Fortinet products have been a frequent target for sophisticated threat actors. The company’s security appliances, VPN concentrators, and management platforms sit at critical points in enterprise networks, making them high-value targets. A single vulnerability in a Fortinet product can provide access to thousands of organizations simultaneously.

The pattern of Fortinet zero-days being exploited before disclosure raises uncomfortable questions about vulnerability research and disclosure timelines in the enterprise security space. When security vendors’ own products become the attack vector, it undermines the fundamental trust that organizations place in their security infrastructure. Every FortiClient EMS installation that was compromised through CVE-2026-35616 was, by definition, an organization that had invested in enterprise security — and that investment became the attack surface.

How to Protect Your Organization Right Now

If you have not already, apply Fortinet’s hotfix immediately — download it only from Fortinet’s official support portal. Do not trust patches from any other source, no matter how legitimate they appear. Verify the file hash against Fortinet’s published values before installation.

Beyond patching, organizations should take several additional steps. Review FortiClient EMS logs for indicators of compromise dating back to at least March 31, 2026. Implement network segmentation to limit access to the EMS management interface. Enable multi-factor authentication for all administrative access. Monitor for unusual outbound network connections from the EMS server that could indicate C2 communication with the EKZ malware.

If you discover evidence of compromise, isolate the affected EMS server immediately and engage incident response resources. The scope of potential impact — given EMS’s role in managing all endpoint agents — means that a compromised EMS server should be treated as a network-wide security event requiring comprehensive investigation and remediation.

The Bottom Line

CVE-2026-35616 represents the worst-case scenario in enterprise security: a critical zero-day in a management platform that was exploited before disclosure, weaponized with a novel credential stealer disguised as a patch, and targets the very administrators trying to fix the problem. If your organization runs FortiClient EMS, this is not a “get to it eventually” vulnerability — it is a drop-everything-and-patch-now emergency. The attackers are already inside unpatched environments, and every hour of delay increases the risk of a devastating breach.