SyncWave Blog
Cybersecurity 2 min read 66

New vulnerability in FortiClient EMS: hackers deploy malware

A critical flaw in FortiClient EMS is being exploited to install EKZ malware, putting corporate credentials and sensitive data at risk.

cyber security server

The threat behind vulnerability CVE-2026-35616

The cybersecurity ecosystem is on high alert once again following confirmation that malicious actors are exploiting a critical vulnerability in FortiClient Enterprise Management Server (EMS). Identified as CVE-2026-35616, this authentication bypass flaw allows attackers to circumvent security controls and execute code remotely, facilitating infiltration into corporate networks.

Incidents like this, much like when Zero-Day Vulnerabilities are exploited in KnowledgeDeliver, demonstrate that centralized management tools are prime targets for cybercriminals due to their ability to control multiple endpoints.

EKZ: The new danger to corporate data

The primary objective of this hack is the distribution of a little-known infostealer dubbed EKZ. This malware is specifically designed for credential harvesting, which serves as the first step for more complex attacks, including the deployment of large-scale ransomware.

The ability of EKZ to evade perimeter defenses and silently extract information makes it a high-priority threat for incident response teams.

Immediate mitigation measures

To protect infrastructures against this threat, it is essential to follow these recommendations:

  1. Update immediately: Apply the security patches provided by Fortinet to fix CVE-2026-35616.
  2. Network monitoring: Inspect traffic for unusual connections to C2 (command and control) servers associated with the EKZ payload.
  3. Segmentation: Limit access to the EMS control panel to secure, restricted management networks only.

Conclusion

The exploitation of enterprise management systems is a growing trend. While we recently analyzed cases such as Iranian Hacking: MiniFast and MiniJunk V2 on the prowl, today we see how legitimate administrative tools are being turned into attack vectors. Proactive patch management remains the most effective defense in an ever-evolving threat landscape.

Source: BleepingComputer (https://www.bleepingcomputer.com/news/security/hackers-exploit-forticlient-ems-flaw-to-push-infostealer-malware/)

Share:

Comments

Loading comments...

Contact

Want to get in touch?

Questions, suggestions or proposals — write to us and we will respond.