Critical Infostealer Campaign Exploits FortiClient EMS (CVE‑2026‑35616) to Harvest Enterprise Credentials
What It Is – A newly‑observed threat‑actor chain leverages an improper‑access‑control flaw (CVE‑2026‑35616) in Fortinet’s FortiClient Enterprise Management Server (EMS) to push a custom Windows infostealer (EKZ Infostealer) to managed endpoints.
Exploitability – The vulnerability was exploited as a zero‑day in May 2026; Arctic Wolf has released network‑level indicators. No public PoC exists beyond the observed campaign, but the attack is confirmed in the wild. CVSS ≈ 8.6 (High).
Affected Products – FortiClient EMS (any version prior to the Fortinet‑released patch) and any endpoint protected by FortiClient agents managed through that server.
TPRM Impact –
- Credential and session‑cookie theft from browsers and email clients across all third‑party organizations that rely on FortiClient EMS for endpoint management.
- A supply‑chain foothold: compromise of a central management platform can cascade to dozens of downstream vendors and partners.
Recommended Actions –
- Deploy Fortinet’s emergency patch for CVE‑2026‑35616 immediately.
- Conduct a forensic review of EMS logs for unauthenticated API calls, new admin accounts, and the “remind_upgrade_after” flag changes.
- Rotate all privileged EMS credentials and enforce MFA for administrative access.
- Validate endpoint policies for unauthorized script injections; revert any suspicious configuration changes.
- Segment EMS traffic from the broader corporate network and enable strict outbound filtering for unknown executables.
Source: Help Net Security – New infostealer reaches enterprise devices through FortiClient EMS vulnerability