Back to all lessons
Awareness Lessons
last month

Critical FortiClient EMS Zero-Day Exploited in Active Attacks

Attackers are actively exploiting a critical remote code execution vulnerability (CVE-2026-35616) in FortiClient Endpoint Management Server that was patched by Fortinet in April. The vulnerability allows attackers to distribute EKZ Infostealer malware disguised as fake Fortinet patches, leveraging the management server's legitimate VPN scripting workflows to execute PowerShell commands across all managed endpoints. This incident demonstrates how unpatched critical vulnerabilities in management infrastructure can provide attackers with broad access to steal credentials and compromise entire endpoint fleets. Organizations running FortiClient EMS must prioritize immediate patching as attackers are weaponizing the management pathway to turn security tools against the networks they're meant to protect.

Tactical Insight

Immediate actions

  • Apply Fortinet's patch for CVE-2026-35616 on all FortiClient EMS deployments immediately
  • Audit all managed endpoints for signs of EKZ Infostealer or unauthorized PowerShell execution
  • Verify patch authenticity through official Fortinet channels, not third-party sources

Long-term improvements

  • Implement automated vulnerability scanning specifically for security infrastructure components
  • Establish emergency patching procedures with defined SLAs for critical vulnerabilities in management systems
  • Deploy network segmentation to isolate endpoint management servers from general network traffic

Detection measures

  • Monitor FortiClient VPN scripting workflows for unauthorized or suspicious PowerShell commands
  • Enable logging and alerting for all administrative actions on endpoint management platforms