Critical FortiClient EMS Vulnerability Exploited in New Cyber Attacks
A critical vulnerability in FortiClient Endpoint Management Server (EMS), identified as CVE-2026-35616, has been exploited in recent cyber attacks to deploy information-stealing malware. The flaw, which allows remote code execution without authentication, was patched by Fortinet in April. However, unpatched systems are being targeted by a campaign deploying the EKZ Infostealer, disguised as a fake Fortinet endpoint patch. Attackers have used FortiClient's management pathways to execute malicious PowerShell commands, mimicking legitimate operations. The malware targets browsers like Chrome, Microsoft Edge, and Firefox to steal credentials, cookies, and autofill data, which are then exfiltrated over HTTP. 
