CVE-2026-35616: FortiClient EMS Exploited via Fake Patches to Drop EKZ Infostealer

CVE-2026-35616: FortiClient EMS Exploited via Fake Patches to Drop EKZ Infostealer

A critical vulnerability in Fortinet's FortiClient Endpoint Management Server is now being actively weaponized in the wild. Tracked as CVE-2026-35616, the flaw is being used by threat actors to deploy the EKZ Infostealer malware through a particularly deceptive method: a fake software patch. The FortiClient EMS vulnerability credential theft campaign targets organizations that rely on centralized endpoint management, turning their own security infrastructure into an attack vector.

For IT and security teams managing distributed or remote workforces, this is not an abstract threat. The attack chain is designed to look legitimate, which is what makes it especially dangerous.

How CVE-2026-35616 Is Being Exploited in the Wild

CVE-2026-35616 carries a CVSS score of 9.1 and enables pre-authentication bypass and privilege escalation within FortiClient EMS. In practical terms, attackers can access the management server without valid credentials and execute commands at elevated privilege levels.

What separates this campaign from a typical exploitation attempt is the social engineering layer wrapped around it. Threat actors are delivering a fake patch disguised as a legitimate update for the affected software. When an administrator or managed endpoint processes this fraudulent patch, it silently executes malicious PowerShell commands in the background. The victim sees what appears to be a normal update; the attacker gains a foothold.

Fortinet issued hotfixes in April after confirming the vulnerability had been exploited as a zero-day vulnerability, meaning attacks were underway before a fix was available. Organizations that have not applied those hotfixes remain exposed, but even patched environments may be at risk if the fake-patch lure was already delivered prior to remediation.

What the EKZ Infostealer Steals and Who Is at Risk

Once the malicious PowerShell commands execute, the EKZ Infostealer is deployed on the compromised endpoint. Its primary objective is credential harvesting. The malware specifically targets browser-stored credentials, including saved usernames and passwords across commonly used browsers, along with other sensitive data accessible on the managed machine.

Because FortiClient EMS is designed to manage endpoints across an organization from a single console, a successful compromise does not just affect one machine. Attackers who gain access through the EMS server can potentially reach all endpoints under its management umbrella. This makes the blast radius of a single exploitation event significantly larger than a standalone device compromise.

The organizations most directly at risk are those using FortiClient EMS to manage remote or hybrid workforces, where endpoints are distributed across home networks, branch offices, and other environments outside the traditional corporate perimeter. Remote workers frequently store credentials in browsers for convenience, making those endpoints high-value targets for infostealers.

Why Endpoint Security Tools Alone Are Not Enough for Remote Teams

There is a painful irony embedded in this campaign. FortiClient itself is an endpoint security product, and its management server is now being used as a delivery mechanism for malware. This underscores a broader principle that security teams often acknowledge in theory but struggle to operationalize in practice: no single security tool is sufficient on its own.

Endpoint security platforms are valuable components of a defense strategy, but they are also software, and software has vulnerabilities. When a centralized management tool is compromised, it can neutralize the protections it was meant to enforce. Attackers understand this, which is why management interfaces and security infrastructure have become high-priority targets.

For remote teams in particular, the attack surface extends well beyond the managed device. Network traffic, credential transmission, and authentication flows all pass through environments that the organization does not fully control. Layered controls, including network-level protections, zero-trust access policies, and strong credential hygiene practices, are necessary complements to endpoint security tools, not optional extras.

The fake-patch delivery method used in this campaign also highlights how the update process itself can be exploited. If employees or administrators are conditioned to install patches on demand, attackers can weaponize that behavior. Verifying the authenticity of patches through official vendor channels before installation is a critical step that this campaign specifically attempts to circumvent.

How to Harden Your Organization Against Fake-Patch and Infostealer Attacks

For organizations running FortiClient EMS, the immediate priority is applying Fortinet's official hotfixes through verified update channels only. Do not rely on prompts or links delivered via email, chat, or unfamiliar interfaces.

Beyond the immediate patch, here are concrete steps worth prioritizing:

• Audit managed endpoints for signs of compromise. Look for unexpected PowerShell execution events, unusual outbound connections, or evidence of credential-scraping activity in browser data stores.
• Restrict management server access. FortiClient EMS should not be exposed to the public internet without strict access controls. Limit who can reach the management interface and from where.
• Enforce multi-factor authentication across all remote access points. Stolen browser credentials are most dangerous when they provide direct access to corporate systems. MFA breaks that chain.
• Educate administrators about fake-patch tactics. Social engineering attacks targeting IT staff are increasingly common. Teams that understand the tactic are less likely to fall for it.
• Evaluate network-level controls for remote endpoints. Tools that encrypt and authenticate traffic from remote devices add a layer of protection that complements endpoint security, particularly when an endpoint security tool itself is compromised.

The CVE-2026-35616 campaign is a reminder that understanding the difference between a patched vulnerability and a fully mitigated threat matters. Even after hotfixes are applied, organizations need to investigate whether the fake-patch lure may have already been executed in their environment. Patch timing and complementary controls are both part of the equation, which is exactly why security frameworks increasingly treat endpoint protection as one layer among many rather than a standalone solution.

If your organization manages a remote workforce, now is a good time to audit not just your FortiClient EMS deployment, but your broader layered security strategy. Identifying gaps before the next campaign exploits them is a far better position than responding after credentials have already been stolen.