What's Happening?
A critical vulnerability in FortiClient Endpoint Management Server (EMS), identified as CVE-2026-35616, has been exploited in recent attacks to deploy information-stealing malware. The flaw, which allows remote code execution without authentication, was
patched in April, but unpatched systems are now being targeted. Attackers are using FortiClient's management pathways to execute malicious PowerShell commands, disguising them as legitimate operations. The malware targets popular web browsers to steal credentials and other sensitive data, which is then exfiltrated over HTTP.
Why It's Important?
This vulnerability highlights the ongoing risks associated with unpatched software in enterprise environments. The exploitation of FortiClient EMS underscores the importance of timely patching and the potential consequences of neglecting security updates. The attacks demonstrate how threat actors can leverage legitimate management tools to execute malicious activities, complicating detection and response efforts. Organizations using FortiClient EMS must prioritize applying the available patches to mitigate the risk of data breaches and information theft.
What's Next?
Organizations are urged to apply Fortinet's patches for CVE-2026-35616 immediately to protect against these attacks. The vulnerability has been added to CISA's Known Exploited Vulnerabilities list, emphasizing its severity. Security teams should also review their endpoint management practices and enhance monitoring for unusual activities that could indicate exploitation attempts.
