CVE-2026-35616: FortiClient EMS Infostealer Hits Enterprise Networks

A new attack campaign observed in May 2026 is targeting enterprise organizations through a critical vulnerability in Fortinet's FortiClient Enterprise Management Server (EMS). The flaw, tracked as CVE-2026-35616, allows attackers to bypass authentication entirely and execute administrative commands without ever holding valid credentials. The result is a FortiClient EMS infostealer enterprise attack that reaches managed corporate endpoints at scale, putting sensitive employee and organizational data at serious risk.

This is not a narrow, targeted intrusion. Because FortiClient EMS sits at the center of endpoint management for large organizations, a single successful exploit can cascade across every device the server manages.

What CVE-2026-35616 Lets Attackers Do Inside Enterprise Networks

FortiClient EMS is designed to give IT administrators centralized control over endpoint security policies, VPN configurations, and software deployments across a corporate fleet. That administrative reach is exactly what makes CVE-2026-35616 so dangerous.

By exploiting the authentication bypass flaw, attackers gain the ability to impersonate legitimate administrative actors on the server. From that position, they can push software to managed devices, modify endpoint configurations, and execute commands remotely without triggering the standard authentication checks that would normally alert security teams. In the May 2026 campaign, attackers used this access to deliver an infostealer disguised as a legitimate Fortinet patch, a social engineering layer that makes the malicious payload look like routine maintenance to both automated defenses and human observers.

Fortinet released hotfixes addressing the vulnerability in April 2026 after it was identified being exploited as a zero-day in the wild. Organizations that have not yet applied those patches remain exposed.

What Personal and Credential Data Infostealers Harvest From Corporate Devices

Once the infostealer is running on an endpoint, its scope is broad. Modern infostealers are built to vacuum up anything stored locally or passing through the device: saved browser credentials, session cookies, autofill data, stored passwords from password managers, VPN credentials, email account tokens, and files that match patterns associated with sensitive documents.

On a corporate device, this creates a compounded privacy problem. Employees frequently use work machines for tasks that blur the personal and professional line. A single compromised endpoint can yield login credentials for both corporate systems and personal accounts the employee happens to have accessed on that device. Session cookies are particularly damaging because they allow attackers to authenticate as the victim without needing a password at all, bypassing multi-factor authentication in many cases.

The management-layer delivery mechanism makes this worse. Because the payload arrives through a trusted administrative channel, endpoint detection tools that rely on behavioral signals from the user layer may not catch it at the initial delivery stage.

This attack shares structural similarities with other campaigns that use trusted software channels as delivery vehicles. Social engineering tactics that disguise malware as legitimate tools have become a recurring theme across multiple threat clusters in 2026, underscoring how attackers consistently exploit the gap between what looks legitimate and what actually is.

Why Enterprise Management Tool Compromises Put Employee Privacy at Scale

Most data breach discussions focus on the database or the application layer. The FortiClient EMS campaign highlights a different and underappreciated risk: compromise at the management infrastructure layer.

When an attacker controls the tool that manages endpoints rather than a single endpoint itself, the blast radius expands dramatically. Instead of one employee's device being compromised, every device under that EMS instance becomes a potential target. For large enterprises, that could mean hundreds or thousands of machines receiving the same malicious payload in a single coordinated push.

This also creates a specific problem for employee privacy that is distinct from a traditional breach of a corporate database. Infostealers running on individual devices capture data that the organization itself may never see or store centrally, including personal browsing history, personal account credentials, and locally saved files that never touched a corporate server. Employees have little visibility into what has been harvested from their own machines, and standard corporate incident response processes are often designed around centralized data stores rather than distributed endpoint data.

What Privacy-Conscious Employees and IT Teams Should Do Right Now

For IT and security teams, the immediate priority is patching. Fortinet released fixes for CVE-2026-35616 in April 2026. Any organization running FortiClient EMS that has not applied those hotfixes should treat this as urgent. Organizations should also audit EMS access logs for anomalous administrative actions, particularly any software deployments or configuration changes that were not initiated by known administrators.

Beyond patching, this campaign is a useful prompt to review the segmentation between your management infrastructure and the broader network. EMS servers should not be directly reachable from the public internet without strong access controls, and administrative interfaces should require additional authentication layers even for internally positioned users.

For individual employees, the picture is more nuanced. You have limited visibility into what is running on a managed corporate device, and even less control over whether your employer has applied the relevant patches. A few practical steps can reduce your personal exposure:

  • Avoid storing personal account credentials in browsers on work devices. If an infostealer runs, those saved passwords are among the first things it captures.
  • Use a separate personal device for personal accounts where possible, keeping that traffic entirely off corporate-managed infrastructure.
  • Consider a personal VPN on your work device for traffic that falls outside corporate business purposes. Management-layer attacks like this one target administrative channels and endpoint software; a personal VPN running on the device adds a layer of encrypted traffic privacy for your own browsing that infostealer campaigns delivered through EMS cannot easily intercept at the network level.
  • Enable hardware security keys or phishing-resistant MFA on your most sensitive personal accounts. Even if session cookies are captured, accounts protected by hardware-based second factors are significantly harder to access.

The FortiClient EMS infostealer enterprise attack campaign is a clear reminder that corporate infrastructure compromises are also personal privacy events. Patching closes the specific door CVE-2026-35616 opens, but reviewing both your organizational security posture and your own data hygiene on managed devices is the more durable response.