A critical vulnerability in FortiClient Endpoint Management Server, tracked as CVE-2026-35616, is being actively exploited by threat actors to deploy information-stealing malware. This flaw, which has a CVSS score of 9.1, can be remotely exploited without authentication, allowing for remote code execution. The vulnerability was patched in April, but unpatched systems remain vulnerable to attack. Arctic Wolf has reported that the flaw is being used in fresh attacks to deploy malware, highlighting the need for prompt patching and mitigation. The exploitation of this vulnerability expands the active attack surface, making it essential for organizations to prioritize patching based on their exposure and evidence of exploitation1. This vulnerability poses a significant risk to unpatched systems, and practitioners should take immediate action to patch and protect their systems.
CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks
⚠️ Critical Alert
Why This Matters
CVE-2026-35616 disclosure expands the active attack surface — prioritize based on your exposure and exploitation evidence.
References
- SecurityAffairs. (2026, May 28). CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks. *SecurityAffairs*. https://securityaffairs.com/192817/malware/cve-2026-35616-forticlient-ems-flaw-actively-exploited-in-malware-attacks.html
Original Source
SecurityAffairs
Read original →