Listen to this Post
Introduction
A newly exploited critical vulnerability in Fortinet’s FortiClient EMS platform has raised serious cybersecurity concerns across enterprise environments worldwide. Tracked as CVE-2026-35616 with a CVSS score of 9.1, this flaw allows attackers to execute remote code without authentication, effectively giving them full control over vulnerable systems. What makes this vulnerability particularly dangerous is not only its severity but also the fact that it has already been actively exploited in real-world attacks before many organizations had fully applied security patches. Fortinet confirmed the issue and released emergency fixes in April 2026, but threat actors have continued leveraging it through sophisticated campaigns involving fake updates and credential-stealing malware. The incident highlights once again how rapidly zero-day vulnerabilities can transition from discovery to active weaponization in the modern threat landscape.
Comprehensive the Incident
The FortiClient EMS vulnerability, identified as CVE-2026-35616, is classified as an improper access control flaw (CWE-284). It allows unauthenticated attackers to send specially crafted HTTP requests to vulnerable EMS endpoints, bypassing authentication mechanisms entirely. Once access is gained, attackers can execute arbitrary commands remotely, effectively achieving remote code execution without requiring valid credentials.
Security researchers confirmed that threat actors have already been exploiting this flaw in active campaigns. Fortinet acknowledged the exploitation and released out-of-band patches in April 2026, urging customers to immediately update affected systems, particularly versions 7.4.5 and 7.4.6. A permanent fix is scheduled for inclusion in version 7.4.7.
In parallel investigations, cybersecurity firm Arctic Wolf observed a wave of attacks targeting FortiClient EMS-managed environments in May 2026. These attacks used a deceptive strategy involving fake Fortinet security updates. Instead of delivering legitimate patches, the attackers deployed a credential-stealing malware known as EKZ Infostealer.
This malware was designed to harvest browser-stored credentials, write them into local log files, and exfiltrate them over HTTP to attacker-controlled infrastructure. The campaign showed a high level of sophistication, with attackers leveraging trusted enterprise management systems to distribute malicious payloads.
Researchers further believe that the attackers abused FortiClient EMS administrative features to push malicious PowerShell commands directly to connected endpoints. This effectively transformed the EMS platform into a distribution hub for malware, allowing compromise to spread across entire managed device fleets.
According to Arctic Wolf, unauthenticated HTTP requests sent to vulnerable EMS endpoints were processed as legitimate administrative actions. This allowed attackers to interact with sensitive management functions without proper authorization, escalating their control within affected environments.
Fortinet’s official advisory confirmed that the flaw allows unauthorized code execution via crafted requests and emphasized that exploitation had already been observed in the wild. In response, the vulnerability was added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog in April 2026, mandating federal agencies to remediate it quickly.
The combined impact of remote code execution capability, lack of authentication requirement, and active exploitation makes CVE-2026-35616 one of the most severe enterprise security issues recently disclosed in Fortinet’s product ecosystem.
What Undercode Say:
The FortiClient EMS vulnerability reflects a deeper structural problem in enterprise management platforms, where centralized control systems become high-value targets for attackers. EMS solutions are designed to simplify endpoint management, but in doing so they concentrate administrative privileges into a single attack surface. When that surface is compromised, the blast radius is immediate and widespread.
The exploitation of CVE-2026-35616 demonstrates how modern threat actors prioritize management layers over endpoints. Instead of attacking individual machines, attackers targeted the orchestration layer itself, which granted them indirect access to hundreds or even thousands of connected devices. This is a strategic evolution in intrusion methodology.
The use of fake Fortinet updates is particularly significant. It highlights a growing trend in supply-chain style deception where attackers impersonate trusted vendors to bypass user skepticism. In enterprise environments, updates are rarely questioned, which makes them an ideal delivery vector for malware.
The integration of EKZ Infostealer into this campaign shows a dual objective: persistence and credential harvesting. By collecting browser credentials, attackers gain access not only to internal systems but also to cloud services, VPNs, and third-party platforms. This expands the attack surface beyond the original EMS compromise.
Another important observation is the abuse of PowerShell through EMS management features. PowerShell remains one of the most powerful legitimate administrative tools in Windows environments, but it is also frequently abused for living-off-the-land attacks. By pushing PowerShell commands through trusted EMS channels, attackers effectively bypassed traditional endpoint detection mechanisms.
The vulnerability itself, categorized as improper access control, is a reminder that authentication bypass flaws remain among the most dangerous categories of security bugs. Unlike memory corruption issues that require complex exploitation chains, access control failures are often straightforward to exploit once discovered.
CISA’s decision to include CVE-2026-35616 in its Known Exploited Vulnerabilities catalog reinforces the severity of the issue. Once a vulnerability reaches KEV status, it is no longer theoretical risk but confirmed active threat activity. This forces organizations to prioritize remediation over routine patch cycles.
Fortinet’s rapid release of out-of-band patches suggests that the company treated this as an emergency response scenario rather than a standard update cycle. However, patch availability does not guarantee protection, as many organizations delay updates due to operational constraints or compatibility concerns.
The broader implication is that enterprise security platforms must adopt stricter isolation between management interfaces and execution layers. If administrative APIs can be accessed without authentication due to a flaw, the entire infrastructure collapses into a single point of failure.
This incident also underscores the importance of zero-trust principles in internal networks. Even internal management systems should not be assumed safe, especially when they are exposed to HTTP-based interfaces that can be reached remotely.
Finally, the attack chain illustrates how modern cyber operations combine exploitation, social engineering, and malware deployment into a single streamlined process. The sophistication is not in a single exploit but in the orchestration of multiple weak points into a full compromise lifecycle.
Fact Checker Results
CVE-2026-35616 is confirmed as a high-severity FortiClient EMS vulnerability with active exploitation. ✅
Fortinet has released emergency patches and confirmed real-world attacks targeting the flaw. ✅
Arctic Wolf analysis supports the claim of fake updates and credential-stealing malware campaigns. ❌
Prediction
Future exploitation of CVE-2026-35616 or similar flaws is likely to evolve toward automated mass scanning and exploitation across enterprise environments. Attackers will increasingly integrate fake update mechanisms with advanced persistence frameworks to maintain long-term access. Security vendors will respond by tightening API authentication layers and embedding anomaly detection into EMS platforms, but organizations that delay patching will remain the most vulnerable targets in upcoming attack waves.
▶️ Related Video (80% Match):
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
