FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch (opens in new tab)

Key Takeaways Arctic Wolf observed evidence of CVE-2026-35616 being exploited against FortiClient EMS deployments. The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints. Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell. The credential stealer, designated as EKZ Infostealer, supports credential … FortiClient EMS Exploited via CVE-2026-35616 to...