Executive Summary
In May 2026, threat actors exploited a critical authentication bypass vulnerability (CVE-2026-35616) in Fortinet's FortiClient Enterprise Management Server (EMS) versions 7.4.5 and 7.4.6. This flaw allowed unauthenticated remote attackers to execute arbitrary code via specially crafted requests. Leveraging this vulnerability, attackers delivered the EKZ infostealer malware, disguised as a legitimate Fortinet endpoint update, through FortiClient-managed VPN scripting workflows. The malware targeted credentials and sensitive data stored in web browsers, exfiltrating them to attacker-controlled servers. Fortinet released emergency patches to address this issue, and organizations were urged to apply them promptly to mitigate the risk of compromise.
This incident underscores the critical importance of timely patch management and vigilance against sophisticated social engineering tactics. The exploitation of trusted security infrastructure highlights the evolving strategies of threat actors, emphasizing the need for organizations to adopt a proactive and layered security approach to protect against such vulnerabilities.
Why This Matters Now
The active exploitation of CVE-2026-35616 demonstrates the increasing sophistication of cyber threats targeting critical security infrastructure. Organizations must prioritize patching vulnerable systems and enhance monitoring to detect and respond to such attacks promptly.
Attack Path Analysis
Attackers exploited an authentication bypass vulnerability in FortiClient EMS to gain unauthorized access. They escalated privileges by modifying EMS configurations and VPN policies. Utilizing these changes, they moved laterally to execute malicious scripts on connected endpoints. The scripts established command and control channels via PowerShell payloads. Sensitive data was exfiltrated to attacker-controlled servers over HTTP. The attack culminated in the deployment of the EKZ infostealer, compromising credentials and personal information.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited an authentication bypass vulnerability (CVE-2026-35616) in FortiClient EMS to gain unauthorized access.
Related CVEs
CVE-2026-35616
CVSS 9.8An improper access control vulnerability in Fortinet FortiClient EMS versions 7.4.5 through 7.4.6 allows unauthenticated remote attackers to execute unauthorized code or commands via specially crafted requests.
Affected Products:
Fortinet FortiClient EMS – 7.4.5, 7.4.6
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
External Remote Services
Command and Scripting Interpreter: PowerShell
Ingress Tool Transfer
Multi-Factor Authentication Interception
Modify Authentication Process: Domain Controller Authentication
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that security vulnerabilities are identified and addressed
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
CISA-mandated patching of FortiClient EMS CVE-2026-35616 highlights critical VPN infrastructure vulnerabilities enabling EKZ infostealer deployment through authentication bypass exploitation.
Information Technology/IT
FortiClient EMS authentication bypass allows remote code execution, compromising managed endpoint security through malicious VPN scripting workflows and credential theft operations.
Financial Services
EKZ infostealer targets credit card details and authentication cookies through compromised FortiClient endpoints, bypassing MFA protections and threatening financial data integrity.
Computer/Network Security
Exploitation of Fortinet security infrastructure demonstrates supply chain risks where trusted security tools become attack vectors for credential harvesting and data exfiltration.
Sources
- Hackers exploit FortiClient EMS flaw to push infostealer malwarehttps://www.bleepingcomputer.com/news/security/hackers-exploit-forticlient-ems-flaw-to-push-infostealer-malware/Verified
- FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patchhttps://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/Verified
- New FortiClient EMS flaw exploited in attacks, emergency patch releasedhttps://www.bleepingcomputer.com/news/security/new-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial unauthorized access would likely be limited to the compromised workload, reducing the potential for further exploitation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may be constrained, reducing the scope of their access within the environment.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement would likely be restricted, limiting their ability to compromise additional endpoints.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels may be detected and disrupted, reducing the attacker's ability to maintain control over compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive data would likely be prevented, reducing the risk of data loss.
The deployment of the EKZ infostealer may be contained to the initially compromised workload, reducing the overall impact on the organization.
Impact at a Glance
Affected Business Functions
- Endpoint Management
- Network Security
- Data Protection
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive credentials and personal information due to the deployment of the EKZ Infostealer malware.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict unauthorized access and limit lateral movement.
- • Enhance East-West Traffic Security to monitor and control internal communications.
- • Deploy Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities.
- • Apply Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.
