Threat actors are actively exploiting a severe, pre-authentication remote code execution flaw in Fortinet's FortiClient Endpoint Management Server (EMS) to deliver information-stealing malware, according to a Security Affairs report citing findings from cybersecurity firm Arctic Wolf.
The vulnerability, catalogued as CVE-2026-35616 and carrying a CVSS severity score of 9.1 out of 10, allows an attacker to execute arbitrary code on a targeted EMS instance simply by sending specially crafted requests — no credentials or user interaction required. Fortinet issued patches for the flaw in April 2026, but organisations that have not yet applied the fix remain exposed to in-the-wild attacks.
A single point of failure for every managed endpoint
What makes CVE-2026-35616 particularly dangerous is the architectural role FortiClient EMS plays in enterprise environments. The platform serves as a centralised management console that oversees FortiClient deployments across potentially thousands of endpoints within an organisation. A successful compromise of the EMS server does not just breach a single machine — it hands attackers a vantage point from which they can survey, manipulate, or disable the security posture of every managed device.
According to Arctic Wolf's analysis, attackers are capitalising on this centralised access by deploying infostealer malware through compromised EMS instances. Information stealers are designed to harvest credentials, session tokens, browser data, and other sensitive material from infected systems, feeding that data back to attacker-controlled infrastructure for later exploitation or sale.
The patch gap remains the battlefield
Fortinet confirmed the vulnerability and released fixes in its April 2026 security advisory cycle. However, the gap between when a vendor patches a critical flaw and when organisations actually deploy that patch continues to be one of the most fertile attack surfaces in modern cybersecurity. With CVE-2026-35616 requiring no authentication to exploit, the barrier to weaponisation is exceptionally low once an attacker identifies a reachable, unpatched EMS server on the internet.
Security researchers have repeatedly warned that internet-facing management consoles are among the first assets targeted by opportunistic threat actors following the disclosure of a major vulnerability. Scanning for unpatched FortiClient EMS instances can be automated at scale, meaning organisations that have deferred patching even by a few weeks are running an elevated risk.
Immediate action recommended
For IT and security teams managing FortiClient EMS deployments, the following steps should be treated as a priority:
- Verify patch status immediately. Confirm whether your FortiClient EMS instances are running the April 2026 patched version. If not, apply the update without delay.
- Audit internet exposure. Ensure that EMS management interfaces are not directly accessible from the public internet. Where possible, restrict access through VPN or zero-trust network access solutions.
- Hunt for indicators of compromise. Review EMS logs for unexpected administrative activity, anomalous authentication patterns, or unauthorised configuration changes that could suggest a prior breach.
- Monitor endpoint telemetry. Given the infostealer payload being deployed, check for signs of credential-harvesting activity across managed endpoints, including unusual processes accessing browser credential stores or outbound connections to unfamiliar infrastructure.
A broader pattern
This is not the first time Fortinet products have drawn scrutiny for vulnerabilities that are rapidly exploited after disclosure. Fortinet's widespread presence in enterprise and government networks worldwide makes its products a high-value target, and the vendor's advisories consistently draw immediate attention from both defenders and attackers alike.
The active exploitation of CVE-2026-35616 underscores a familiar but critical lesson: centralised management tools demand the same — if not greater — urgency in patching as the endpoints they protect. A single unpatched EMS server can undermine the security of an entire fleet.
根據 Security Affairs 的一篇報導引用網絡安全公司 Arctic Wolf 的研究結果,威脅行為者正積極利用 Fortinet 旗下 FortiClient 端點管理伺服器 (EMS) 中一個嚴重的、無需預先驗證的遠端程式碼執行漏洞,以傳播資訊竊取惡意軟件。
該漏洞編號為 CVE-2026-35616,CVSS 嚴重性評分高達 9.1 分(滿分 10 分)。攻擊者僅需發送特製的請求,即可在目標 EMS 實例上執行任意程式碼,無需任何憑證或用戶互動。Fortinet 已於 2026 年 4 月為此漏洞發布修補程式,但尚未套用修復措施的企業組織仍暴露於野外攻擊的風險之下。
所有受管端點的單點故障點
CVE-2026-35616 尤其危險之處在於 FortiClient EMS 在企業環境中的架構角色。該平台作為集中管理主控台,可監督企業內潛在數千個端點的 FortiClient 部署。成功入侵 EMS 伺服器不僅意味著單一機器被攻破,更賦予攻擊者一個制高點,使其能夠偵察、操縱或停用所有受管裝置的安全態勢。
根據 Arctic Wolf 的分析,攻擊者正利用這種集中存取權限,透過被入侵的 EMS 實例部署資訊竊取惡意軟件。資訊竊取器旨在從受感染系統中竊取憑證、工作階段權杖、瀏覽器數據及其他敏感資料,並將這些數據回傳至攻擊者控制的基礎設施,以供後續利用或出售。
修補間隙仍是主戰場
Fortinet 已在 2026 年 4 月的安全公告週期中確認此漏洞並發布修復程式。然而,供應商修補關鍵漏洞與企業實際部署該修補程式之間的時間差,一直是現代網絡安全中最易受攻擊的薄弱環節之一。由於 CVE-2026-35616 無需驗證即可被利用,一旦攻擊者在互聯網上識別出可達、未修補的 EMS 伺服器,將其武器化的門檻便異常低。
安全研究人員一再警告,暴露於互聯網的管理主控台,是重大漏洞披露後,機會主義威脅行為者優先攻擊的資產之一。掃描未修補的 FortiClient EMS 實例可大規模自動化進行,這意味著即使僅延遲數週進行修補的企業組織,也面臨著更高的風險。
建議立即採取行動
對於管理 FortiClient EMS 部署的資訊科技及安全團隊,應將以下步驟列為優先事項:
- 立即確認修補狀態。 確認您的 FortiClient EMS 實例是否運行 2026 年 4 月的修補版本。若否,請立即套用更新。
- 審計互聯網暴露面。 確保 EMS 管理介面無法直接從公共互聯網存取。在可能的情況下,透過 VPN 或零信任網絡存取方案限制存取。
- 搜尋入侵指標。 檢查 EMS 日誌中是否有異常的管理活動、異常的驗證模式或未經授權的配置變更,這些都可能表明先前已遭入侵。
- 監控端點遙測數據。 考慮到正在部署的資訊竊取器負載,請檢查受管端點上是否存在憑證竊取活動的跡象,包括異常處理程序存取瀏覽器憑證儲存區,或連線至陌生基礎設施的外部連線。
更廣泛的模式
這並非 Fortinet 產品首次因漏洞在披露後迅速被利用而受到密切關注。Fortinet 產品在全球企業及政府網絡中的廣泛應用,使其成為高價值目標,而該供應商的安全公告總能同時引起防禦者與攻擊者的高度關注。
CVE-2026-35616 的活躍利用凸顯了一個熟悉但至關重要的教訓:集中式管理工具在修補方面需要與其保護的端點具備同等(甚至更高)的緊迫性。單一未修補的 EMS 伺服器,便可能破壞整個端點群組的安全性。