FortiClient EMS improper access control flaw (CVE-2026-35616)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-35616 is an actively exploited improper access control flaw in FortiClient Enterprise Management Server (EMS) that lets unauthenticated attackers execute code or commands via specially crafted requests. In May 2026, Arctic Wolf observed attacks abusing EMS management paths to modify configuration and deliver EKZ, an undocumented credential stealer, through FortiClient-managed VPN scripting workflows. The payload was disguised as a Fortinet endpoint update, launched through fortitray.exe and cmd.exe, and used PowerShell to exfiltrate browser data to an attacker-controlled VPS over HTTP. Fortinet released emergency hotfixes for 7.4.5 and 7.4.6, and later addressed the flaw in FortiClient EMS 7.4.7 and later.
Cases
Related Happenings
FortiBleed multi-vendor brute-force wave
Exploitation Wave
H score75
First: 23.06.2026 21:20
Last: 23.06.2026 21:20
Sources 1
About this happening:
A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortiBleed multi-vendor brute-force wave
Exploitation WaveAbout this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
**FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityAbout this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
FortiBleed Fortinet/FortiGate VPN credential leak
Data Leak
H score80
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
**FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
FortiBleed Fortinet/FortiGate VPN credential leak
Data LeakAbout this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
Latest development: 19.06.2026 09:47
CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.
Timeline
-
28.05.2026 18:26 2 articles · 1mo ago
Initial report: FortiClient EMS pre-auth API access bypass (CVE-2026-35616)
Initial DisclosureAttackers were already abusing **CVE-2026-35616** against **FortiClient EMS** in **May 2026**. The flaw provided **pre-auth API access bypass** and **privilege escalation** before remediation in **7.4.7 and later**.
Show sources
- Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer — thehackernews.com — 28.05.2026 18:26
- Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer — thehackernews.com — 28.05.2026 18:26
-
05.04.2026 21:45 2 articles · 3mo ago
Fortinet issues emergency hotfix for CVE-2026-35616
Mitigation Patch UpdateFortinet releases an emergency hotfix for CVE-2026-35616, an improper access control flaw in FortiClient EMS 7.4.5 and 7.4.6 that can let unauthenticated attackers execute code or commands via specially crafted requests. Fortinet says FortiClient EMS 7.4.7 will also fix the issue and urges customers to install the hotfix immediately.
Show sources
- New FortiClient EMS flaw exploited in attacks, emergency patch released — www.bleepingcomputer.com — 05.04.2026 21:45
- Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited — www.infosecurity-magazine.com — 07.04.2026 12:26
-
05.04.2026 21:45 2 articles · 3mo ago
Fortinet confirms CVE-2026-35616 active exploitation
Initial DisclosureFortinet confirms that CVE-2026-35616 is actively exploited in the wild, credits Defused with finding a pre-authentication API access bypass in FortiClient EMS, and notes that Shadowserver found more than 2,000 exposed EMS instances online, mostly in the USA and Germany. Defused says the flaw was observed as a zero-day earlier this week before responsible disclosure to Fortinet.
Show sources
- New FortiClient EMS flaw exploited in attacks, emergency patch released — www.bleepingcomputer.com — 05.04.2026 21:45
- Hackers exploit FortiClient EMS flaw to push infostealer malware — www.bleepingcomputer.com — 28.05.2026 20:25