What's Happening?
A critical vulnerability in FortiClient Endpoint Management Server (EMS), identified as CVE-2026-35616 with a CVSS score of 9.1, has been exploited in recent cyber attacks. This flaw allows remote code execution without authentication and was initially
patched by Fortinet in April. Despite the availability of hotfixes, unpatched systems are being targeted by attackers deploying the EKZ Infostealer malware. The malware masquerades as a legitimate Fortinet endpoint patch and is executed through FortiClient-managed VPN scripting workflows. This method uses PowerShell commands to mimic legitimate management operations, enabling attackers to execute code across all managed endpoints. The malware targets browsers like Chrome, Microsoft Edge, and Firefox to steal credentials, cookies, and autofill data, which are then exfiltrated over HTTP. Organizations are urged to apply the patches immediately, as the vulnerability has been added to CISA's Known Exploited Vulnerabilities list.
Why It's Important?
The exploitation of this vulnerability poses significant risks to organizations using FortiClient EMS, as it allows attackers to gain widespread access to sensitive data across managed endpoints. The ability to execute code remotely without authentication makes this flaw particularly dangerous, potentially leading to large-scale data breaches. The deployment of information-stealing malware can result in the loss of critical business information, financial data, and personal user credentials, impacting both organizational operations and individual privacy. The incident underscores the importance of timely patch management and the need for robust cybersecurity measures to protect against evolving threats. Failure to address such vulnerabilities can lead to severe financial and reputational damage for affected organizations.
What's Next?
Organizations using FortiClient EMS should prioritize the application of Fortinet's patches to mitigate the risk of exploitation. Cybersecurity teams need to review their systems for signs of compromise and ensure that all endpoints are secured against this vulnerability. Additionally, there may be increased scrutiny from regulatory bodies regarding the handling of such vulnerabilities and the protection of user data. Companies might also consider enhancing their cybersecurity protocols and investing in advanced threat detection systems to prevent future incidents. As the threat landscape evolves, continuous monitoring and proactive security measures will be essential to safeguard against similar attacks.
