HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical Infostealer Campaign Exploits FortiClient EMS (CVE‑2026‑35616) to Harvest Enterprise Credentials

Threat actors are abusing CVE‑2026‑35616 in FortiClient Enterprise Management Server to deliver the EKZ Infostealer to corporate endpoints. The flaw bypasses API authentication, allowing malicious script injection that harvests browser cookies, passwords and autofill data. TPRM teams must treat this as a high‑severity supply‑chain risk.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
helpnetsecurity.com

Critical Infostealer Campaign Exploits FortiClient EMS (CVE‑2026‑35616) to Harvest Enterprise Credentials

What It Is – A newly‑observed threat‑actor chain leverages an improper‑access‑control flaw (CVE‑2026‑35616) in Fortinet’s FortiClient Enterprise Management Server (EMS) to push a custom Windows infostealer (EKZ Infostealer) to managed endpoints.

Exploitability – The vulnerability was exploited as a zero‑day in May 2026; Arctic Wolf has released network‑level indicators. No public PoC exists beyond the observed campaign, but the attack is confirmed in the wild. CVSS ≈ 8.6 (High).

Affected Products – FortiClient EMS (any version prior to the Fortinet‑released patch) and any endpoint protected by FortiClient agents managed through that server.

TPRM Impact

  • Credential and session‑cookie theft from browsers and email clients across all third‑party organizations that rely on FortiClient EMS for endpoint management.
  • A supply‑chain foothold: compromise of a central management platform can cascade to dozens of downstream vendors and partners.

Recommended Actions

  • Deploy Fortinet’s emergency patch for CVE‑2026‑35616 immediately.
  • Conduct a forensic review of EMS logs for unauthenticated API calls, new admin accounts, and the “remind_upgrade_after” flag changes.
  • Rotate all privileged EMS credentials and enforce MFA for administrative access.
  • Validate endpoint policies for unauthorized script injections; revert any suspicious configuration changes.
  • Segment EMS traffic from the broader corporate network and enable strict outbound filtering for unknown executables.

Source: Help Net Security – New infostealer reaches enterprise devices through FortiClient EMS vulnerability

📰 Original Source
https://www.helpnetsecurity.com/2026/05/29/forticlient-ems-vulnerability-infostealer/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →