HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Authentication Bypass in FortiClient EMS (CVE‑2026‑35616) Enables Credential Stealer Deployment

Fortinet’s FortiClient EMS contains a critical authentication‑bypass (CVE‑2026‑35616) that attackers are exploiting to push the EKZ infostealer. The flaw affects unpatched EMS 7.4.x deployments, exposing credentials, credit‑card data, and MFA tokens across multiple industries, creating a serious third‑party risk.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 bleepingcomputer.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
bleepingcomputer.com

Critical Authentication Bypass in FortiClient EMS (CVE‑2026‑35616) Enables Credential Stealer Deployment

What It Is — FortiClient Enterprise Management Server (EMS) suffers an authentication‑bypass flaw (CVE‑2026‑35616) that permits unauthenticated remote attackers to execute arbitrary code via crafted API requests. Threat actors are leveraging the bug to deliver the EKZ infostealer, disguised as a legitimate Fortinet endpoint update.

Exploitability — Active exploitation confirmed in the wild; emergency hot‑fixes released by Fortinet. CVSS v3.1 base score 9.8 (Critical). Proof‑of‑concept code and live traffic observed by Arctic Wolf and Shadowserver.

Affected Products — FortiClient EMS 7.4.5, 7.4.6 (and any earlier unpatched versions). The vulnerability affects any organisation that uses EMS to manage VPN and endpoint policies.

TPRM Impact — The compromised EMS instances can harvest browser credentials, credit‑card data, and MFA tokens from managed endpoints, creating a supply‑chain threat that may expose downstream vendors, partners, and customers. Thousands of internet‑exposed EMS instances have been identified, amplifying the risk to third‑party ecosystems.

Recommended Actions

  • Apply Fortinet’s emergency hot‑fixes for EMS 7.4.5/7.4.6 immediately.
  • Enforce strict API authentication and disable any unauthenticated endpoints.
  • Audit VPN scripting policies for unauthorized or unexpected commands.
  • Deploy EDR/EDR‑compatible monitoring to detect EKZ payload indicators (base64‑encoded PowerShell, unusual batch scripts).
  • Monitor outbound HTTP traffic for connections to unknown VPS domains and block exfiltration paths.

Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/hackers-exploit-forticlient-ems-flaw-to-push-infostealer-malware/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →