Fortinet FortiClient EMS emergency patch release (CVE-2026-35616, CVE-2026-21643)
Security Patch Release
Summary
Hide ▲
Show ▼
Fortinet FortiClient EMS is a security-patch release happening centered on CVE-2026-35616 and CVE-2026-21643. Fortinet issued an out-of-band emergency hotfix after confirming that CVE-2026-35616 was exploited in the wild. The vendor said the flaw is a critical CVSS 9.1 improper access control issue that could let an unauthenticated attacker execute unauthorized code or commands through crafted requests. Fortinet also stated that customers running EMS 7.4.5 and 7.4.6 should install the fix immediately and that 7.4.7 would include the remediation as well. Follow-on reporting in May 2026 shows attackers abusing the same FortiClient Endpoint Management Server (EMS) management path to deliver malware to managed endpoints. Arctic Wolf observed a disguised FortiEndpoint_Patch.exe update, execution through fortitray.exe and cmd.exe, and a Base64-encoded PowerShell chain that downloaded a credential stealer and exfiltrated browser data to 83.138.53[.]110 over HTTP POST.
Related Happenings
FortiBleed multi-vendor brute-force wave
Exploitation Wave
H score75
First: 23.06.2026 21:20
Last: 23.06.2026 21:20
Sources 1
About this happening:
A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortiBleed multi-vendor brute-force wave
Exploitation WaveAbout this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
**FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityAbout this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
FortiBleed Fortinet/FortiGate VPN credential leak
Data Leak
H score80
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
**FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
FortiBleed Fortinet/FortiGate VPN credential leak
Data LeakAbout this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
Latest development: 19.06.2026 09:47
CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.
Timeline
-
28.05.2026 18:26 2 articles · 1mo ago
Threat actors exploit FortiClient EMS CVE-2026-35616 to push credential stealer to managed endpoints
Exploitation ObservedArctic Wolf observed threat actors abusing FortiClient Endpoint Management Server (EMS) and CVE-2026-35616 in May 2026 to modify EMS-managed configuration, disguise FortiEndpoint_Patch.exe as a Fortinet endpoint update, and use fortitray.exe, cmd.exe, and a Base64-encoded PowerShell chain to download malware and exfiltrate browser data to 83.138.53[.]110.
Show sources
- Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer — thehackernews.com — 28.05.2026 18:26
- Hackers exploit FortiClient EMS flaw to push infostealer malware — www.bleepingcomputer.com — 28.05.2026 20:25
-
07.04.2026 12:26 2 articles · 3mo ago
Fortinet issues emergency FortiClient EMS hotfix
Mitigation Patch UpdateFortinet urged customers running FortiClient Enterprise Management Server (EMS) 7.4.5 and 7.4.6 to install an emergency hotfix after confirming that CVE-2026-35616, a critical CVSS 9.1 improper access control flaw, was exploited in the wild and could let an unauthenticated attacker execute unauthorized code or commands via crafted requests. Fortinet also pointed customers to remediation for CVE-2026-21643, a CVSS 9.8 SQL injection flaw that was also being exploited in the wild, advising upgrade to 7.4.5 or later or disconnecting the administrative web interface from the internet; the vendor said the hotfix is sufficient to prevent CVE-2026-35616 entirely and that upcoming FortiClientEMS 7.4.7 will also include a fix.
Show sources
- Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited — www.infosecurity-magazine.com — 07.04.2026 12:26
- Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited — www.infosecurity-magazine.com — 07.04.2026 12:26