Executive Summary
In May 2026, threat actors exploited a critical vulnerability (CVE-2026-35616) in Fortinet's FortiClient Endpoint Management Server (EMS) to deploy credential-stealing malware across managed endpoints. By abusing the trusted endpoint management infrastructure, attackers disguised the malicious payload as a legitimate Fortinet update, executing it via PowerShell. This allowed them to harvest sensitive data, including passwords and autofill details from web browsers, and exfiltrate the information to attacker-controlled servers. The exploitation of this vulnerability underscores the risks associated with unpatched management systems and the potential for widespread compromise through centralized infrastructure. Organizations are urged to apply the latest patches and review endpoint management configurations to mitigate such threats.
Why This Matters Now
The active exploitation of CVE-2026-35616 highlights the critical need for organizations to promptly apply security patches to prevent attackers from leveraging known vulnerabilities to deploy malware across managed endpoints.
Attack Path Analysis
Threat actors exploited a critical vulnerability in FortiClient EMS to gain unauthorized access, escalated privileges to modify configurations, moved laterally to deploy malware across managed endpoints, established command and control through malicious scripts, exfiltrated credentials from browsers, and impacted organizations by compromising sensitive information.
Kill Chain Progression
Initial Compromise
Description
Threat actors exploited CVE-2026-35616, a critical pre-authentication API access bypass in FortiClient EMS, to gain unauthorized access to the management server.
Related CVEs
CVE-2026-21643
CVSS 9.8A critical SQL injection vulnerability in FortiClient EMS 7.4.4 allows unauthenticated remote attackers to execute arbitrary SQL commands and unauthorized code or commands via crafted HTTP requests.
Affected Products:
Fortinet FortiClient EMS – 7.4.4
Exploit Status:
exploited in the wildCVE-2026-35616
CVSS 9.8An improper access control vulnerability in FortiClient EMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute unauthorized code or commands via crafted requests.
Affected Products:
Fortinet FortiClient EMS – 7.4.5, 7.4.6
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Client Execution
Valid Accounts
Credentials from Password Stores
Application Layer Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
Critical FortiClient EMS exploitation enables credential theft through trusted endpoint management infrastructure, compromising zero trust segmentation and east-west traffic security controls.
Financial Services
Credential stealing malware delivered via compromised endpoint management violates PCI compliance requirements and enables lateral movement across banking network infrastructures.
Health Care / Life Sciences
Endpoint management compromise threatens HIPAA compliance through credential theft, potentially exposing patient data via unencrypted traffic and inadequate access controls.
Government Administration
FortiClient EMS vulnerabilities enable threat actors to steal credentials from government endpoints, compromising NIST 800-53 controls and facilitating data exfiltration.
Sources
- Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealerhttps://thehackernews.com/2026/05/threat-actors-exploit-critical.htmlVerified
- Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)https://www.helpnetsecurity.com/2026/03/30/forticlient-ems-cve-2026-21643-reported-exploitation/Verified
- FortiClient Endpoint Management Server (EMS) SQL Injection Vulnerability (CVE-2026-21643)https://threatprotect.qualys.com/2026/02/11/forticlient-endpoint-management-server-ems-sql-injection-vulnerability-cve-2026-21643/Verified
- FortiClient EMS Exploited via CVE-2026-35616 for EKZ Infostealer Deploymenthttps://www.technadu.com/forticlient-ems-exploited-via-cve-2026-35616-for-ekz-infostealer-deployment/628498/Verified
- How to find Fortinet FortiClient Endpoint Management Server on your networkhttps://www.runzero.com/blog/fortinet-forticlient-ems/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial exploitation, it could likely limit the attacker's ability to leverage the compromised server to access other workloads.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by restricting unauthorized configuration changes.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely limit the attacker's ability to move laterally by restricting unauthorized communications between workloads.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely limit the attacker's ability to establish command and control channels by monitoring and controlling outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit the attacker's ability to exfiltrate data by controlling and monitoring outbound traffic.
With Aviatrix CNSF controls in place, the scope of data breaches could likely be reduced, limiting unauthorized access to critical systems and data.
Impact at a Glance
Affected Business Functions
- Endpoint Security Management
- Network Security Operations
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive credentials and network configurations managed by FortiClient EMS.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of malware across endpoints.
- • Deploy East-West Traffic Security controls to monitor and control internal traffic, detecting unauthorized communications between systems.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized data exfiltration by monitoring and controlling outbound traffic.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to malicious activities promptly.
- • Regularly update and patch systems to address known vulnerabilities, reducing the risk of exploitation.
