CVE-2026-35616 — Fortinet FortiClient EMS pre-auth bypass, exploited to push EKZ Infostealer down the management channel

If you did nothing this week: an attacker with a working pre-auth bypass against your FortiClient EMS management API can — and per Arctic Wolf, is — modifying Remote Access Profile configurations and injecting malicious PowerShell into every managed endpoint, with the payload disguised as a legitimate Fortinet patch.

Arctic Wolf observed active exploitation of CVE-2026-35616 (CVSS 9.1, first covered 2026-05-29, Fortinet PSIRT FG-IR-26-099, now CISA KEV-listed) in which the EKZ Infostealer was distributed through the trusted endpoint-management plane. This is the operationally important framing for this audience: the malware arrives over the channel the endpoint is built to trust, so signature-trust and "it came from EMS" heuristics fail open. Any public-sector, finance, energy or telco estate running FortiClient EMS should patch, then hunt for unexpected Remote Access Profile changes and PowerShell pushed from the EMS server in the exposure window.