Find notable cyber news and cases, enriched with sources, timelines, and signals.

Fortinet FortiClient EMS emergency patch release (CVE-2026-35616, CVE-2026-21643)

Security Patch Release
First reported
Last updated
Happening score
H score 53
3 unique sources, 3 articles

Summary

Hide ▲

Fortinet FortiClient EMS is a security-patch release happening centered on CVE-2026-35616 and CVE-2026-21643. Fortinet issued an out-of-band emergency hotfix after confirming that CVE-2026-35616 was exploited in the wild. The vendor said the flaw is a critical CVSS 9.1 improper access control issue that could let an unauthenticated attacker execute unauthorized code or commands through crafted requests. Fortinet also stated that customers running EMS 7.4.5 and 7.4.6 should install the fix immediately and that 7.4.7 would include the remediation as well. Follow-on reporting in May 2026 shows attackers abusing the same FortiClient Endpoint Management Server (EMS) management path to deliver malware to managed endpoints. Arctic Wolf observed a disguised FortiEndpoint_Patch.exe update, execution through fortitray.exe and cmd.exe, and a Base64-encoded PowerShell chain that downloaded a credential stealer and exfiltrated browser data to 83.138.53[.]110 over HTTP POST.

Related Happenings

FortiBleed multi-vendor brute-force wave

Exploitation Wave
H score75 First: 23.06.2026 21:20 Last: 23.06.2026 21:20 Sources 1

About this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...

FortigateSniffer FortiOS packet-sniffer credential-harvesting tool

Malware Activity
H score72 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...

Initial access broker (IAB) campaign expands across multiple victims

Campaign
H score89 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...

Latest development: 23.06.2026 13:30

On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.

CISA warning on FortiBleed for FortiGate customers

Public Sector Action
H score89 First: 19.06.2026 17:00 Last: 19.06.2026 17:00 Sources 1

About this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...

FortiBleed Fortinet/FortiGate VPN credential leak

Data Leak
H score80 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...

Latest development: 19.06.2026 09:47

CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.

Timeline

  1. 28.05.2026 18:26 2 articles · 1mo ago

    Threat actors exploit FortiClient EMS CVE-2026-35616 to push credential stealer to managed endpoints

    Exploitation Observed

    Arctic Wolf observed threat actors abusing FortiClient Endpoint Management Server (EMS) and CVE-2026-35616 in May 2026 to modify EMS-managed configuration, disguise FortiEndpoint_Patch.exe as a Fortinet endpoint update, and use fortitray.exe, cmd.exe, and a Base64-encoded PowerShell chain to download malware and exfiltrate browser data to 83.138.53[.]110.

    Show sources
  2. 07.04.2026 12:26 2 articles · 3mo ago

    Fortinet issues emergency FortiClient EMS hotfix

    Mitigation Patch Update

    Fortinet urged customers running FortiClient Enterprise Management Server (EMS) 7.4.5 and 7.4.6 to install an emergency hotfix after confirming that CVE-2026-35616, a critical CVSS 9.1 improper access control flaw, was exploited in the wild and could let an unauthenticated attacker execute unauthorized code or commands via crafted requests. Fortinet also pointed customers to remediation for CVE-2026-21643, a CVSS 9.8 SQL injection flaw that was also being exploited in the wild, advising upgrade to 7.4.5 or later or disconnecting the administrative web interface from the internet; the vendor said the hotfix is sufficient to prevent CVE-2026-35616 entirely and that upcoming FortiClientEMS 7.4.7 will also include a fix.

    Show sources