Computer Works Computer Works
Call
Cybersecurity

Critical FortiClient Security Flaw Being Actively Exploited by Hackers

A critical vulnerability in Fortinet's FortiClient EMS (CVE-2026-35616) is being actively exploited to steal browser passwords, cookies, and credit card data — without requiring a single login credential from attackers. Here's what it is, who's affected, and what to do right now.

Critical FortiClient Security Flaw Being Actively Exploited by Hackers

If your business uses Fortinet's endpoint management software to oversee company devices, this is an alert you need to read right now. A critical security vulnerability has been actively weaponized by hackers to silently steal browser passwords, session cookies, and even saved credit card numbers — and the attack is disguised to look like a routine software update.

What Is FortiClient EMS?

FortiClient Endpoint Management Server (EMS) is a popular enterprise tool that lets IT administrators centrally manage, monitor, and push software configurations to every device connected to their network. It's widely used by small and mid-sized businesses that run Fortinet network security gear. If you have a Fortinet firewall or VPN appliance, there's a real chance FortiClient EMS is also in your environment.

That central management capability — the ability to push commands to every managed device at once — is exactly what attackers are now exploiting.

The Vulnerability: CVE-2026-35616

The flaw, tracked as CVE-2026-35616 by Security Affairs, carries a CVSS severity score of 9.1 out of 10 — meaning it's considered critical. It's classified as an improper access control issue (CWE-284) that allows an attacker to bypass API authentication entirely and escalate their privileges to an administrative level.

In plain English: an attacker on the internet can send specially crafted requests to your FortiClient EMS server without ever needing a username or password, and the system processes those requests as if they came from a trusted administrator.

Fortinet confirmed active zero-day exploitation of this flaw and released out-of-band patches in early April. In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog — the federal government's official list of flaws being actively abused in the wild.

What Attackers Are Actually Doing

Researchers at Arctic Wolf identified active attacks in May 2026 and the attack chain they uncovered is particularly sneaky. According to The Hacker News, here's how the attack unfolds:

  1. Authentication bypass: Attackers send crafted HTTP requests to FortiClient EMS endpoints without any credentials. The system processes them as legitimate administrative actions.

  2. Configuration tampering: Once inside, attackers modify Remote Access Profile configurations and endpoint policies to insert a malicious script.

  3. Fake update delivery: The attackers use FortiClient's own management pathway to push malicious PowerShell commands to every managed endpoint — disguised as a legitimate Fortinet firmware or software update. The payload is named "FortiEndpoint_Patch.exe" to blend in.

  4. Credential theft: The fake update installs a previously unreported Windows information stealer. It harvests passwords, cookies, and autofill data including credit card numbers, addresses, and phone numbers from Chromium- and Gecko-based browsers (Chrome, Firefox, Edge, Brave, etc.).

  5. Exfiltration: The stolen data is written to a log file in the ProgramData directory, then a separate PowerShell script transmits it over HTTP to an attacker-controlled server.

As Arctic Wolf noted, once attackers control EMS configuration, every managed endpoint becomes a potential execution target — without the attacker needing to break into each device individually. The campaign abused trusted endpoint management infrastructure to deliver malware across the entire managed fleet in one move.

What makes this especially dangerous: stolen session cookies can give attackers follow-on access to cloud services and internal applications, and may even bypass multi-factor authentication (MFA) if the session is still valid.

Are You Affected?

You're potentially at risk if:

  • Your business runs FortiClient EMS version 7.4.5 or 7.4.6
  • Your FortiClient EMS server is reachable from the internet (directly or via exposed management ports)
  • You haven't applied Fortinet's hotfix patches released in April 2026

Fortinet has urged users of FortiClient EMS 7.4.5 and 7.4.6 to install the available hotfixes immediately. A permanent fix is included in version 7.4.7 and later.

Immediate Steps to Take

1. Check your FortiClient EMS version. Log into your EMS management console and confirm which version you're running. If it's 7.4.5 or 7.4.6, stop reading and go patch right now.

2. Apply the hotfix or upgrade to 7.4.7+. Fortinet released out-of-band patches in early April specifically for this vulnerability. If you haven't applied them, your system is unprotected against an actively exploited critical flaw.

3. Review your endpoint policy and Remote Access Profile configurations. Look for any recent unauthorized changes to endpoint policies or scripts. The attackers specifically modified these to insert malicious payloads.

4. Audit managed endpoints for the fake update file. Search for "FortiEndpoint_Patch.exe" on managed devices. Its presence is a strong indicator of compromise.

5. Reset browser credentials on potentially exposed devices. Since the stealer harvests saved passwords and cookies from browsers, users on managed endpoints should change passwords for cloud services, internal tools, and banking applications — and invalidate active sessions where possible.

6. Restrict network exposure of your EMS server. If your FortiClient EMS management interface doesn't need to be reachable from the open internet, firewall it off. Exposure to the internet dramatically increases risk.

This Isn't an Isolated Problem

It's worth noting that this FortiClient attack isn't happening in a vacuum. Just this week, Security Affairs also reported that CISA added three more supply chain attack flaws to its Known Exploited Vulnerabilities catalog — including compromised DAEMON Tools installers, poisoned TanStack npm packages, and a malicious Nx Console Visual Studio extension. Attackers are increasingly targeting the software and tools that businesses trust for legitimate work.

The FortiClient attack follows this same playbook: don't break through the front door — abuse the tools your IT team already trusts.

The Bottom Line for Yuba City Businesses

If Fortinet tools are part of your network, this patch is non-negotiable. A CVSS 9.1 vulnerability with no authentication requirement, active exploitation in the wild, and a federal advisory all point to the same conclusion: this needs to be addressed today.

For Yuba City small businesses managing their own Fortinet infrastructure, now is a good time to do a quick audit. If you're unsure whether your systems are running a vulnerable version — or if you need help reviewing your endpoint security posture — our business IT services team is happy to take a look. Sometimes a second set of eyes is all it takes to catch something before attackers do.

Recommended
Proton VPN
Proton VPN
Protect your browsing
Proton Mail
Proton Mail
Encrypted email
Related local service
Worried this could be malware?
If your computer has pop-ups, redirects, suspicious downloads, or ransomware warnings, start with our local virus removal page.
Call Us View virus removal
Tags
cybersecurity vulnerability patch-management small-business-it privilege-escalation
← Back to all posts