Critical Authentication Bypass in FortiClient EMS (CVE‑2026‑35616) Enables Credential Stealer Deployment
What It Is — FortiClient Enterprise Management Server (EMS) suffers an authentication‑bypass flaw (CVE‑2026‑35616) that permits unauthenticated remote attackers to execute arbitrary code via crafted API requests. Threat actors are leveraging the bug to deliver the EKZ infostealer, disguised as a legitimate Fortinet endpoint update.
Exploitability — Active exploitation confirmed in the wild; emergency hot‑fixes released by Fortinet. CVSS v3.1 base score 9.8 (Critical). Proof‑of‑concept code and live traffic observed by Arctic Wolf and Shadowserver.
Affected Products — FortiClient EMS 7.4.5, 7.4.6 (and any earlier unpatched versions). The vulnerability affects any organisation that uses EMS to manage VPN and endpoint policies.
TPRM Impact — The compromised EMS instances can harvest browser credentials, credit‑card data, and MFA tokens from managed endpoints, creating a supply‑chain threat that may expose downstream vendors, partners, and customers. Thousands of internet‑exposed EMS instances have been identified, amplifying the risk to third‑party ecosystems.
Recommended Actions —
- Apply Fortinet’s emergency hot‑fixes for EMS 7.4.5/7.4.6 immediately.
- Enforce strict API authentication and disable any unauthenticated endpoints.
- Audit VPN scripting policies for unauthorized or unexpected commands.
- Deploy EDR/EDR‑compatible monitoring to detect EKZ payload indicators (base64‑encoded PowerShell, unusual batch scripts).
- Monitor outbound HTTP traffic for connections to unknown VPS domains and block exfiltration paths.
Source: BleepingComputer