FORTICLIENT EMS FLAW EXPLOITED FOR MALWARE DELIVERY

Security researchers have identified active exploitation of CVE-2026-35616, an authentication bypass flaw in Fortinet's FortiClient EMS platform. Threat actors are using the vulnerability to deploy EKZ, an undocumented infostealer designed to harvest credentials and sensitive data from compromised systems. FortiClient EMS is widely deployed across enterprise networks to manage endpoint security policies and device compliance. The vulnerability allows attackers to bypass authentication mechanisms, gaining unauthorized access to the management server without valid credentials. Once inside, attackers can push malicious payloads to managed endpoints. In active attacks, they're distributing EKZ to steal authentication tokens, passwords, and other sensitive information from infected machines. The EKZ malware appears to be relatively new, with limited public documentation available. Its capabilities focus on credential extraction, making it particularly dangerous for organizations managing critical infrastructure or handling sensitive data. Fortinet has not yet released an official patch for CVE-2026-35616, though the company is aware of the exploitation. Security teams managing FortiClient EMS deployments should prioritize access controls and network segmentation to restrict administrative access to the management servers. Organizations using FortiClient EMS are advised to: - Monitor for unauthorized access attempts to EMS infrastructure - Review logs for suspicious account activity or policy changes - Scan endpoints for EKZ signatures if available - Implement network-level protections around EMS servers - Prepare for rapid patching once Fortinet releases a fix This vulnerability underscores the risk posed when management platforms lack robust authentication. Compromise of enterprise management tools can provide attackers with a privileged vantage point to distribute malware across entire networks.