What's Happening?
A critical vulnerability in FortiClient Endpoint Management Server (EMS), identified as CVE-2026-35616, has been exploited in recent cyber attacks to deploy information-stealing malware. The flaw, which allows remote code execution without authentication,
was patched by Fortinet in April. However, unpatched systems are being targeted by a campaign deploying the EKZ Infostealer, disguised as a fake Fortinet endpoint patch. Attackers have used FortiClient's management pathways to execute malicious PowerShell commands, mimicking legitimate operations. The malware targets browsers like Chrome, Microsoft Edge, and Firefox to steal credentials, cookies, and autofill data, which are then exfiltrated over HTTP.
Why It's Important?
This vulnerability poses a significant risk to organizations using FortiClient EMS, as it allows attackers to execute code across all managed endpoints. The exploitation of this flaw highlights the critical importance of timely patching and vulnerability management. Organizations failing to apply the necessary patches are at risk of data breaches, financial loss, and operational disruptions. The incident underscores the need for robust cybersecurity practices, including regular updates and monitoring of security systems. The broader impact extends to the cybersecurity industry, emphasizing the ongoing challenge of defending against sophisticated cyber threats and the importance of proactive security measures.
What's Next?
Organizations using FortiClient EMS are urged to apply Fortinet's patches for CVE-2026-35616 immediately to mitigate the risk of exploitation. The vulnerability has been added to CISA's Known Exploited Vulnerabilities list, highlighting its severity. Companies may need to conduct thorough security audits to ensure all systems are updated and secure. Additionally, there may be increased collaboration between cybersecurity firms and government agencies to address and prevent similar threats. As cyber threats continue to evolve, organizations must remain vigilant and adaptive in their security strategies to protect against future attacks.
