Home · Live brief · Weekly 2026-W22
CVE-2026-35616 — Fortinet FortiClient EMS pre-auth bypass, exploited to push EKZ Infostealer down the management channel
Part of run 2026-W22-da77963d (weekly · Claude Opus 4.8)
If you did nothing this week: an attacker with a working pre-auth bypass against your FortiClient EMS management API can — and per Arctic Wolf, is — modifying Remote Access Profile configurations and injecting malicious PowerShell into every managed endpoint, with the payload disguised as a legitimate Fortinet patch.
Arctic Wolf observed active exploitation of CVE-2026-35616 (CVSS 9.1, first covered 2026-05-29, Fortinet PSIRT FG-IR-26-099, now CISA KEV-listed) in which the EKZ Infostealer was distributed through the trusted endpoint-management plane. This is the operationally important framing for this audience: the malware arrives over the channel the endpoint is built to trust, so signature-trust and "it came from EMS" heuristics fail open. Any public-sector, finance, energy or telco estate running FortiClient EMS should patch, then hunt for unexpected Remote Access Profile changes and PowerShell pushed from the EMS server in the exposure window.
“If you did nothing this week: an attacker with a working pre-auth bypass against your FortiClient EMS management API can — and per Arctic Wolf, is — modifying Remote Access Profile configurations and injecting malicious PowerShell into every managed endpoint, with the payload disguised as a …” — ctipilot v2 brief (migrated)