Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: forticlient-ems (3 articles)Clear

FortiClient EMS CVE-2026-35616 actively exploited to deploy EKZ infostealer - disguised as endpoint update via VPN scripting

Arctic Wolf has observed active exploitation of CVE-2026-35616, an authentication-bypass flaw in FortiClient Enterprise Management Server (EMS), to deliver an undocumented credential stealer called EKZ. Attackers abuse the endpoint APIs to perform administrative actions without authentication, then modify EMS configuration and VPN policies to inject malicious scripts. Seconds after endpoints establish an IPsec tunnel to a Fortinet-managed gateway, EKZ is pushed disguised as an endpoint update via VPN scripting workflows. Fortinet released emergency hotfixes for versions 7.4.5 and 7.4.6 in early April and CISA ordered federal agencies to patch the same week; Shadowserver tracked 2,000 internet-exposed EMS instances at the time.

Check
Inventory FortiClient EMS deployments and confirm patch level. Search for unauthorized EMS configuration or VPN policy changes since early April. Look for EKZ stealer behavior on endpoints.
Affected
FortiClient EMS versions before the 7.4.5 and 7.4.6 hotfixes. Internet-exposed instances are at highest risk; Shadowserver counted 2,000 exposed in April when CISA mandated federal patching.
Fix
Apply the Fortinet hotfixes. Audit EMS admin actions and VPN policy modifications since April. Rotate credentials and certificates that EMS managed. Apply Arctic Wolf EKZ IoCs.

Second FortiClient EMS zero-day in two weeks - emergency patch for pre-auth API bypass, actively exploited (CVE-2026-35616)

If you patched FortiClient EMS for CVE-2026-21643 two weeks ago by upgrading to 7.4.5, you're now vulnerable to a new zero-day. CVE-2026-35616 is a CVSS 9.1 pre-authentication API access bypass affecting versions 7.4.5 and 7.4.6 - the exact versions customers upgraded to. Defused Cyber spotted exploitation in the wild starting March 31. Fortinet released an emergency weekend hotfix on Saturday, with watchTowr noting attackers deliberately timed this for the Easter holiday when security teams are at half strength.

Check
If you run FortiClient EMS 7.4.5 or 7.4.6, treat this as an emergency - apply the hotfix now, not after the holiday.
Affected
FortiClient EMS 7.4.5 and 7.4.6 only. The 7.2 branch and FortiEMS Cloud are not affected.
Fix
Apply the emergency hotfix for your version immediately: hotfix for 7.4.5 or hotfix for 7.4.6 (see Fortinet release notes). Upgrade to 7.4.7 when available. Restrict the EMS web interface to management VLANs only. Review logs for unusual API requests since March 31.

Fortinet FortiClient EMS SQL injection actively exploited - no authentication required (CVE-2026-21643)

A CVSS 9.1 SQL injection flaw in Fortinet's FortiClient Endpoint Management Server is now being exploited in the wild - four days before anyone flagged it publicly. An attacker only needs one crafted HTTP request with a malicious Site header to execute arbitrary SQL against the backing PostgreSQL database, no credentials required. Roughly 1,000 to 2,400 FortiClient EMS instances are exposed to the internet, mostly in the US and Europe.

Check
Check if you run FortiClient EMS with its web interface exposed to the internet.
Affected
FortiClient EMS 7.4.4 with multi-tenant mode enabled. Single-site deployments are not affected.
Fix
Upgrade to FortiClient EMS 7.4.5 or later. Restrict access to the EMS administrative interface immediately.