:

FORTICLIENT EMS FLAW EXPLOITED FOR MALWARE DELIVERY

SECURITY DESK2 MIN READ
FRI, MAY 29, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

Attackers are leveraging an authentication bypass vulnerability in FortiClient Enterprise Management Server to distribute EKZ, a previously unknown credential-stealing malware.

Security researchers have identified active exploitation of CVE-2026-35616, an authentication bypass flaw in Fortinet's FortiClient EMS platform. Threat actors are using the vulnerability to deploy EKZ, an undocumented infostealer designed to harvest credentials and sensitive data from compromised systems. FortiClient EMS is widely deployed across enterprise networks to manage endpoint security policies and device compliance. The vulnerability allows attackers to bypass authentication mechanisms, gaining unauthorized access to the management server without valid credentials. Once inside, attackers can push malicious payloads to managed endpoints. In active attacks, they're distributing EKZ to steal authentication tokens, passwords, and other sensitive information from infected machines. The EKZ malware appears to be relatively new, with limited public documentation available. Its capabilities focus on credential extraction, making it particularly dangerous for organizations managing critical infrastructure or handling sensitive data. Fortinet has not yet released an official patch for CVE-2026-35616, though the company is aware of the exploitation. Security teams managing FortiClient EMS deployments should prioritize access controls and network segmentation to restrict administrative access to the management servers. Organizations using FortiClient EMS are advised to: - Monitor for unauthorized access attempts to EMS infrastructure - Review logs for suspicious account activity or policy changes - Scan endpoints for EKZ signatures if available - Implement network-level protections around EMS servers - Prepare for rapid patching once Fortinet releases a fix This vulnerability underscores the risk posed when management platforms lack robust authentication. Compromise of enterprise management tools can provide attackers with a privileged vantage point to distribute malware across entire networks.

■ SOURCES

Bleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.

4H AGOIndustry Desk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.

4H AGOSecurity Desk

Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.

7H AGOAI Desk

A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.

9H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.