CVE-2026-35616 is a critical remote code execution vulnerability in FortiClient EMS that can be exploited without authentication via crafted requests. Fortinet issued hotfixes in April after confirming exploitation in the wild. Attackers used FortiClient's management pathways to execute malicious PowerShell scripts on managed endpoints, deploying the EKZ Infostealer malware. This malware targets credentials and autofill data from multiple browsers and exfiltrates the data over HTTP. The vulnerability enables attackers to execute code on all endpoints managed by the compromised EMS, significantly increasing the attack surface. The vulnerability is recognized by CISA as actively exploited, emphasizing the urgency of patching.

Successful exploitation allows remote unauthenticated attackers to execute arbitrary code on FortiClient EMS, enabling them to push malicious commands to all managed endpoints. This leads to deployment of information-stealing malware that harvests credentials, cookies, and autofill data from major browsers and exfiltrates it, potentially compromising user accounts and sensitive information across the affected network.

Fortinet released official hotfixes for CVE-2026-35616 in April 2026. Organizations should immediately apply these patches to FortiClient EMS to remediate the vulnerability. Since the vulnerability is actively exploited in the wild and listed on CISA's Known Exploited Vulnerabilities list, prompt patching is critical. No alternative mitigations or workarounds are specified. Fortinet does not manage this as a cloud service; patching is the responsibility of the deploying organization.