Attackers Exploit FortiClient EMS Flaw to Deploy Infostealer

A known improper access control vulnerability in FortiClient Enterprise Management Server (EMS), identified as CVE-2026-35616, is being actively exploited by attackers. This exploitation delivers a sophisticated infostealer, disguised as a legitimate Fortinet update. The malware circumvents API authentication to steal sensitive data like credentials and session cookies.

Context

CVE-2026-35616 is a vulnerability related to improper access control in FortiClient EMS, a tool used for managing Fortinet security products. This flaw has been known, yet the recent uptick in exploitation highlights ongoing security challenges. Attackers are leveraging this vulnerability to deploy infostealer malware, which disguises itself as legitimate software updates.

Why it matters

The exploitation of the FortiClient EMS vulnerability poses significant risks to organizations using this software, potentially leading to data breaches. Sensitive information, including user credentials and session cookies, can be compromised, impacting both individuals and businesses. Understanding this threat is crucial for cybersecurity preparedness and response.

Implications

The successful deployment of infostealer malware can lead to significant financial and reputational damage for affected organizations. Users whose credentials are compromised may face identity theft or unauthorized access to their accounts. This incident underscores the importance of regular software updates and robust cybersecurity measures.

What to watch

Organizations using FortiClient EMS should monitor for updates and patches from Fortinet that address this vulnerability. Increased reports of data breaches or unusual activity related to FortiClient EMS may signal further exploitation attempts. Cybersecurity firms may release additional guidance or tools to mitigate this threat.