Find notable cyber news and cases, enriched with sources, timelines, and signals.

FortiClient EMS improper access control flaw (CVE-2026-35616)

Vulnerability
First reported
Last updated
Happening score
H score 59
3 unique sources, 4 articles

Summary

Hide ▲

CVE-2026-35616 is an actively exploited improper access control flaw in FortiClient Enterprise Management Server (EMS) that lets unauthenticated attackers execute code or commands via specially crafted requests. In May 2026, Arctic Wolf observed attacks abusing EMS management paths to modify configuration and deliver EKZ, an undocumented credential stealer, through FortiClient-managed VPN scripting workflows. The payload was disguised as a Fortinet endpoint update, launched through fortitray.exe and cmd.exe, and used PowerShell to exfiltrate browser data to an attacker-controlled VPS over HTTP. Fortinet released emergency hotfixes for 7.4.5 and 7.4.6, and later addressed the flaw in FortiClient EMS 7.4.7 and later.

Cases

Related Happenings

FortiBleed multi-vendor brute-force wave

Exploitation Wave
H score75 First: 23.06.2026 21:20 Last: 23.06.2026 21:20 Sources 1

About this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...

FortigateSniffer FortiOS packet-sniffer credential-harvesting tool

Malware Activity
H score72 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...

Initial access broker (IAB) campaign expands across multiple victims

Campaign
H score89 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...

Latest development: 23.06.2026 13:30

On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.

CISA warning on FortiBleed for FortiGate customers

Public Sector Action
H score89 First: 19.06.2026 17:00 Last: 19.06.2026 17:00 Sources 1

About this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...

FortiBleed Fortinet/FortiGate VPN credential leak

Data Leak
H score80 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...

Latest development: 19.06.2026 09:47

CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.

Timeline

  1. 28.05.2026 18:26 2 articles · 1mo ago

    Initial report: FortiClient EMS pre-auth API access bypass (CVE-2026-35616)

    Initial Disclosure

    Attackers were already abusing **CVE-2026-35616** against **FortiClient EMS** in **May 2026**. The flaw provided **pre-auth API access bypass** and **privilege escalation** before remediation in **7.4.7 and later**.

    Show sources
  2. 05.04.2026 21:45 2 articles · 3mo ago

    Fortinet issues emergency hotfix for CVE-2026-35616

    Mitigation Patch Update

    Fortinet releases an emergency hotfix for CVE-2026-35616, an improper access control flaw in FortiClient EMS 7.4.5 and 7.4.6 that can let unauthenticated attackers execute code or commands via specially crafted requests. Fortinet says FortiClient EMS 7.4.7 will also fix the issue and urges customers to install the hotfix immediately.

    Show sources
  3. 05.04.2026 21:45 2 articles · 3mo ago

    Fortinet confirms CVE-2026-35616 active exploitation

    Initial Disclosure

    Fortinet confirms that CVE-2026-35616 is actively exploited in the wild, credits Defused with finding a pre-authentication API access bypass in FortiClient EMS, and notes that Shadowserver found more than 2,000 exposed EMS instances online, mostly in the USA and Germany. Defused says the flaw was observed as a zero-day earlier this week before responsible disclosure to Fortinet.

    Show sources