Update note: We published an initial alert about CVE-2026-35616 on May 28. Since then, Arctic Wolf researchers have released a detailed technical breakdown of the full attack chain — including the specific malware used, exactly how it steals your data, and concrete remediation steps. This post covers all of that new detail.
If your business uses Fortinet products to manage endpoint security across your network, stop what you're doing and read this.
Attackers are actively exploiting a critical flaw in FortiClient Enterprise Management Server (EMS) to push malware directly to business computers — and they're doing it by disguising the attack as a routine Fortinet software update. By the time employees notice anything unusual, their passwords, browser cookies, and even saved credit card numbers may already be on their way to an attacker-controlled server.
Here's everything Yuba City businesses and IT administrators need to know.
What Is FortiClient EMS?
FortiClient EMS is a centralized management platform that IT administrators use to deploy, configure, and monitor Fortinet's FortiClient endpoint security software across every device in an organization's network. Think of it as the command center for your company's endpoint protection — when it's compromised, every managed device becomes a potential target without attackers needing to break into each one individually.
That's exactly what makes this particular vulnerability so dangerous.
The Vulnerability: CVE-2026-35616 (CVSS 9.1)
The Hacker News reports that the flaw, tracked as CVE-2026-35616, is a critical pre-authentication API access bypass that leads to privilege escalation. Fortinet addressed the vulnerability in FortiClient EMS version 7.4.7 and later.
What does "pre-authentication bypass" mean in plain English? It means attackers don't need a valid username or password to exploit it. As Help Net Security explains, when specially crafted HTTP requests are sent to certain FortiClient EMS endpoints without valid credentials, those requests are processed as if they were legitimate administrative actions. Once inside, threat actors can interact with EMS functionality that would normally require full administrative access.
Fortinet first publicly disclosed the vulnerability in early April 2026, after Defused Cyber spotted it being exploited as a zero-day. The attacks observed by Arctic Wolf happened in May 2026 — meaning exploitation is still actively ongoing.
How the Attack Works — Step by Step
This is where the new Arctic Wolf research gets particularly alarming. The attack chain is sophisticated and specifically designed to blend in with normal IT operations.
Step 1 — Authentication bypass. Attackers send crafted HTTP requests to the FortiClient EMS server, bypassing API authentication entirely.
Step 2 — Configuration manipulation. Once inside, according to Help Net Security, threat actors update the remind_upgrade_after configuration to defer firmware upgrade reminders (so IT staff don't get tipped off), then edit the Remote Access Profile configuration and endpoint policy to insert a malicious script.
Step 3 — Malware delivery disguised as an update. The malicious payload — a file named FortiEndpoint_Patch.exe — is pushed to managed endpoints and presented as a Fortinet endpoint update. As The Hacker News reports, attackers also leveraged fortitray.exe, a legitimate FortiClient executable, to launch a .cmd script file using cmd.exe.
Step 4 — PowerShell executes the steal. That .cmd script invokes a Base64-encoded PowerShell script, which downloads the malicious payload, runs it, and exfiltrates results to an attacker-controlled IP address (83.138.53[.]110) via an HTTP POST request.
One important technical nuance worth knowing: the stealer itself lacks network-based exfiltration capabilities — it's the PowerShell wrapper that actually transmits the stolen data. The malware writes captured data to a log file saved in the ProgramData directory first.
What Data Is Being Stolen?
Arctic Wolf researchers dubbed the malware the EKZ Infostealer. According to Help Net Security, it is capable of harvesting:
- Session cookies (which can be replayed to bypass MFA entirely)
- Saved passwords and credentials
- Autofill data — including credit card numbers, addresses, and phone numbers
It targets browsers and applications using both Chromium and Gecko engines, meaning the following are all at risk: Google Chrome, Microsoft Edge, Opera, Brave, Vivaldi, Mozilla Firefox, Thunderbird, the Tor Browser, LibreWolf, Pale Moon, and others.
Researchers also recovered additional malicious samples from the attacker's server with file names including FortiEndpoint_Patch.2.4.9.zip, Microsoftr Windowsr Operating System-Installer.exe, and a file masquerading as a Windows CRT DLL.
The downstream risk is severe. As The Hacker News notes, "session cookies and saved browser credentials may provide threat actors with follow-on access to cloud services, internal applications, and other authenticated resources, including cases where session reuse may circumvent MFA prompts." In other words, even businesses with multi-factor authentication enabled are not automatically safe once cookies are stolen.
What You Need to Do Right Now
If your organization runs FortiClient EMS, here is a concrete action list based on the Arctic Wolf guidance reported by Help Net Security:
Update FortiClient EMS to version 7.4.7 or later — this is the patched release from Fortinet.
Review your EMS logs for suspicious indicators: certificate errors, new or unfamiliar accounts, suspicious logins, and unexpected configuration changes — particularly to firmware upgrade settings or Remote Access Profiles.
If you find evidence of compromise:
- Change all affected passwords immediately
- Revoke active sessions across all potentially affected services (cloud apps, internal tools, VPNs)
- Check what autofill data was stored in browsers — if payment card details were saved, contact your bank to cancel and reissue those cards
- Audit access logs for cloud services for any unusual sign-ins
Block the known malicious IP (
83.138.53[.]110) at your firewall or perimeter.Alert your IT team or managed service provider and share the indicators of compromise that Arctic Wolf has published.
Why This Matters for Small and Mid-Sized Businesses
The reason this attack is so effective is that it uses your own management infrastructure against you. As Arctic Wolf explained, once attackers had control of EMS configuration, "every managed endpoint became a potential execution target without requiring a separate intrusion path to each device." For a small business relying on Fortinet tools to protect a dozen or more workstations, that means one server compromise can cascade across the entire office instantly.
If you're running FortiClient EMS and aren't sure whether your version is up to date — or if you want a second set of eyes on your network logs — the team at Computer Works helps local businesses work through exactly these kinds of urgent security situations. Sometimes a quick check is all it takes to confirm you're safe (or catch something before it gets worse).
The Bottom Line
CVE-2026-35616 is a CVSS 9.1-rated, actively exploited critical flaw. The patch exists. The attack campaign is ongoing. The malware it delivers steals credentials broadly enough to undermine MFA protections on your cloud services. For any Yuba City business using Fortinet endpoint management tools, updating to FortiClient EMS 7.4.7 or later — and reviewing your logs for signs of compromise — is not optional at this point.
