Threat actors are actively exploiting a critical vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) to deliver information-stealing malware, according to a Security Affairs report on 28 May 2026 citing Arctic Wolf findings.
The flaw, tracked as CVE-2026-35616, carries a CVSS score of 9.1 out of 10. According to the report, it can be exploited remotely via crafted requests for remote code execution (RCE) and does not require authentication. Fortinet has patched the vulnerability, but the gap between that fix and real-world weaponisation underscores the speed at which attackers capitalise on newly disclosed weaknesses in critical security infrastructure.
No Credentials Required
What makes CVE-2026-35616 especially dangerous is its reported zero-authentication nature. An attacker can send a crafted request to a vulnerable EMS server and achieve remote code execution without valid login credentials, according to the report. That dramatically lowers the barrier to exploitation, meaning any internet-exposed instance is effectively a sitting target.
FortiClient EMS serves as a centralised management console for endpoint deployments across enterprise environments. A compromise of the server does not stay contained — it can cascade across an entire fleet of managed devices. Once an attacker gains control of the EMS, they can potentially push malicious payloads to every connected endpoint, turning a single vulnerability into a full-scale intrusion.
Info-Stealers Already in the Wild
Arctic Wolf reports that observed attack campaigns are deploying information-stealing malware on compromised environments. Specific malware families have not yet been publicly identified, but the pattern aligns with a broader trend of adversaries targeting management and security infrastructure to maximise the blast radius of a single exploit.
Organisations relying on FortiClient EMS for endpoint security face a paradox: the very platform meant to protect their devices has become an attack vector. Security teams should review logs for unauthorised access to EMS servers and scan managed endpoints for indicators of compromise associated with info-stealer tooling.
Remediation and Mitigation
Fortinet's patch resolves the vulnerability and should be applied immediately. For organisations unable to patch on short notice, the following standard compensating measures can help reduce exposure:
- Restrict network access to the EMS management interface, particularly from the public internet. Network segmentation can limit the attack surface.
- Monitor logs aggressively for signs of unauthorised access or unusual activity on EMS servers and managed endpoints.
- Audit endpoint security posture to ensure no lateral movement has occurred from a compromised management server.
The incident highlights a persistent challenge in enterprise security: the patch gap. Even when vendors release fixes promptly, organisations frequently fail to apply updates to critical infrastructure quickly enough. Security management platforms like EMS demand the fastest possible patch turnaround because their compromise affects everything downstream.
Why This Matters
For IT administrators and security professionals in Hong Kong and across the Asia-Pacific region, the vulnerability is a reminder that endpoint management platforms are high-value targets. Any organisation operating FortiClient EMS should treat this as an urgent patching priority, irrespective of whether suspicious activity has been observed. The combination of unauthenticated remote code execution and active exploitation in the wild makes CVE-2026-35616 one of the most significant Fortinet vulnerabilities disclosed this year.
No indicators of compromise or detailed campaign attribution have been published to date. Defenders should consult Fortinet's official advisory and rely on their own threat-hunting capabilities until further intelligence becomes available.
根據 Security Affairs 於 2026 年 5 月 28 日的報導,援引 Arctic Wolf 的發現,威脅行為者正在積極利用 Fortinet 的 FortiClient 端點管理伺服器(EMS)中的一個嚴重漏洞來傳遞資訊竊取惡意軟件。
該漏洞的編號為 CVE-2026-35616,CVSS 評分為 9.1 分(滿分 10 分)。根據報導,攻擊者可透過精心構造的請求遠端利用該漏洞實現遙距代碼執行(RCE),且無需驗證。Fortinet 已發布修補程式,但從修補到實際被武器化之間的時間差距,突顯了攻擊者利用關鍵安全基礎設施中新披露弱點的速度之快。
無需憑證即可利用
CVE-2026-35616 尤其危險之處在於其據報的零驗證特性。根據報導,攻擊者可以向存在漏洞的 EMS 伺服器發送精心構造的請求,無需有效的登錄憑證即可實現遙距代碼執行。這大大降低了利用的門檻,意味著任何暴露在互聯網上的實例都實際上成為了易受攻擊的目標。
FortiClient EMS 作為企業環境中端點部署的集中管理控制台。伺服器的失陷不會局限於單一位置——它可能會波及整個受管設備群。一旦攻擊者控制了 EMS,他們就有可能將惡意負載推送到每個連接的端點,從而將單一漏洞轉變為全面入侵。
Info-Stealer 已在野外活動
Arctic Wolf 報告指出,已觀察到的攻擊活動正在受入侵環境中部署資訊竊取惡意軟件。具體的惡意軟件家族尚未公開識別,但其模式與更廣泛的趨勢相符:對手瞄準管理和安全基礎設施,以最大化單一漏洞利用的「爆炸半徑」。
依賴 FortiClient EMS 進行端點安全的組織面臨一個悖論:本應用於保護其設備的平台,卻成為了攻擊向量。安全團隊應審查 EMS 伺服器的日誌,查找未經授權的訪問跡象,並掃描受管端點,尋找與 info-stealer 工具相關的危害指標。
修補與緩解措施
Fortinet 的修補程式已解決該漏洞,應立即應用。對於無法在短時間內修補的組織,以下標準補償措施有助減少暴露:
- 限制對 EMS 管理介面的網絡訪問,尤其是來自公共互聯網的訪問。網絡分段可以限制攻擊面。
- 積極監控日誌,留意 EMS 伺服器和受管端點上未經授權訪問或異常活動的跡象。
- 審計端點安全狀態,確保未發生從已失陷的管理伺服器進行的橫向移動。
此事件凸顯了企業安全中一個長期存在的挑戰:修補時差。即使供應商及時發布修補程式,組織往往未能足夠快地將更新應用到關鍵基礎設施上。像 EMS 這樣的管理平台要求最快的修補處理速度,因為它們的失陷會影響所有下游系統。
此事為何重要
對於香港及亞太地區的 IT 管理員和安全專業人員而言,此漏洞提醒人們,端點管理平台是高價值目標。任何運行 FortiClient EMS 的組織,無論是否已觀察到可疑活動,都應將此視為緊急修補優先事項。結合無需驗證的遙距代碼執行與野外積極利用的特點,使 CVE-2026-35616 成為今年披露的最重大 Fortinet 漏洞之一。
迄今為止,尚未發布任何危害指標或詳細的攻擊歸屬情報。防禦者應查閱 Fortinet 的官方公告,並在獲得進一步情報之前,依靠自身的威脅搜尋能力。