A critical vulnerability in FortiClient Endpoint Management Server (EMS), tracked as CVE-2026-35616, with a CVSS score of 9.1, has been actively exploited to deploy the EKZ Infostealer malware. Exploitations occurred via remote code execution without authentication. Attackers used FortiClient's management workflows to deliver malicious PowerShell commands disguised as security updates. The malware targets various web browsers to steal user credentials and data, exfiltrating it via HTTP. Organizations are urged to apply patches for this vulnerability, which is listed by CISA as a known exploited flaw.
FortiClient EMS bug exploited to deliver EKZ Infostealer
CyberSIXT Evidence Panel
Article by CyberSIXT
Timeline Coverage
Swipe to explore timeline
-
FortiClient EMS flaw used to deploy EKZ Infostealer via fake patch
securityaffairs.com
-
FortiClient EMS bug exploited to deliver EKZ Infostealer
www.securityweek.com
-
FortiClient EMS flaw used to drop EKZ Infostealer via fake updates
securityonline.info