CVE-2026-35616 matters because it breaks a security assumption many teams quietly rely on: that the endpoint-management plane is inherently trusted. Fortinet disclosed the FortiClient EMS flaw in early April 2026 as a critical, known-exploited vulnerability that allows unauthenticated code or command execution via crafted requests. By late May, Arctic Wolf reported a campaign using that same weakness to push a fake Fortinet patch that was actually credential-stealing malware.
That turns the story from "patch your management server" into "assume the management plane can become the malware distributor." If attackers reach FortiClient EMS, they may not need to compromise endpoints one by one. The management path does that for them.
What happened
Fortinet's PSIRT advisory says CVE-2026-35616 is an improper access control flaw in FortiClient EMS. The vendor marked it as known exploited and says affected on-prem versions include 7.4.5 through 7.4.6, while 7.2 is not affected. Fortinet's guidance is direct: install the hotfixes for the affected 7.4 branches or upgrade to 7.4.7 or later.
The advisory alone already made this an urgent patch item. But Arctic Wolf's May 27 research added the operational consequence defenders should focus on. The company says it observed threat actors exploiting the flaw to modify EMS-managed configuration and silently execute malicious PowerShell through FortiClient's own management workflow. The payload, which Arctic Wolf named EKZ Infostealer, targeted browser credentials and related data.
SecurityWeek summarized the blast radius clearly: because FortiClient EMS centrally manages devices, policies, and configurations, compromise of the appliance let the attackers execute code across every managed endpoint. That is not a normal single-host patch failure. It is a control-plane failure.
Why this is more dangerous than a typical edge-server bug
Most exploited product flaws are serious because they expose one server, one application, or one identity boundary. FortiClient EMS is different because it sits upstream of the endpoint fleet. If that management tier is compromised, the attacker can inherit legitimacy and reach.
That changes the risk model in three ways:
- the initial exploit path is on the server, but the business impact lands on the endpoints
- malicious activity can resemble routine administrative delivery instead of noisy malware deployment
- remediation now includes both server patching and endpoint-wide incident response
This is the defender lesson: endpoint-management infrastructure should be treated closer to identity, remote access, and orchestration systems than to an ordinary internal application.
What the EKZ campaign shows
Arctic Wolf says the observed campaign disguised the payload as a Fortinet endpoint update and used PowerShell to run it across managed systems. The malware then harvested credentials, cookies, and autofill material from Chrome, Firefox, Microsoft Edge, and other Chromium- or Gecko-based browsers.
The strategic point is not only that a credential stealer was deployed. It is that the attackers abused a trusted administrative workflow to push it. Once the EMS path is in hostile hands, the organization's own management channel becomes a form of lateral movement at scale.
That makes detection harder. Security teams may initially see policy changes, scripts, or package delivery events that look plausible because they are moving through the same systems administrators use every day.
What defenders should do now
1. Patch or hotfix FortiClient EMS immediately
Fortinet says 7.4.5 and 7.4.6 are affected and should be hotfixed or upgraded to 7.4.7 or later. Do not treat this as a routine maintenance item if the EMS instance is reachable from untrusted networks or was left exposed during earlier zero-day activity.
2. Treat EMS compromise as a fleet-wide event
If there is any sign the EMS server was exposed or abused, assume the incident may extend beyond the appliance itself. Review what scripts, profiles, and policies were recently changed or pushed to clients. A compromised management server can create downstream endpoint exposure even after the server is patched.
3. Hunt for management-path abuse
Review FortiClient EMS activity for:
- unexpected policy or remote access profile changes
- inserted or modified scripts
- unusual PowerShell execution on managed endpoints
- browser-credential theft indicators and suspicious HTTP exfiltration
- administrative actions occurring from unfamiliar sources or at unusual times
This is a strong case for correlating endpoint telemetry with threat intelligence from the management plane rather than investigating those sources in isolation.
4. Reclassify endpoint management as critical control-plane infrastructure
Teams often protect remote-access appliances and identity providers more aggressively than management tooling. That gap is increasingly hard to justify. A compromised endpoint-management platform can become an attacker-operated distribution system.
5. Review exposure and segmentation
Even when patching is complete, this incident should trigger a review of whether FortiClient EMS is unnecessarily exposed, over-permissioned, or too loosely segmented from the environments it manages. Management servers need tighter network boundaries, stronger administrative controls, and better monitoring than many organizations currently give them.
Strategic takeaway
CVE-2026-35616 is a reminder that attackers do not only want access to endpoints. They want access to the mechanisms that control endpoints. That is why this FortiClient EMS issue deserves attention beyond the vendor advisory itself.
The risk is not just unauthenticated code execution on a server. The real risk is what happens when that server is allowed to act as an enterprise-wide distribution channel. Once that trust boundary fails, the attack scales fast.
Which FortiClient EMS versions are affected?
Fortinet says FortiClient EMS 7.4.5 through 7.4.6 are affected by CVE-2026-35616, while 7.2 is not affected.
What is the recommended fix?
Fortinet says affected customers should apply the hotfix guidance for 7.4.5 or 7.4.6 and move to FortiClient EMS 7.4.7 or later.
Why is this issue strategically important?
Because compromise of an endpoint-management server can let attackers push malicious actions across managed devices, turning a server-side flaw into organization-wide endpoint risk.
