A critical vulnerability in FortiClient EMS, tracked as CVE-2026-35616 with a CVSS score of 9.1, has been exploited in recent malware attacks. The flaw allows remote code execution (RCE) without authentication and enables attackers to bypass access controls. Arctic Wolf reported the exploitation of this flaw to deploy EKZ Infostealer malware, disguised as a Fortinet patch, which steals credentials. Fortinet released patches in April, and the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities catalog, urging users to apply the hotfixes as soon as possible.