(TLP:CLEAR) Vulnerability Notification – Critical Vulnerability in Fortinet EMS Actively Exploited, CVE-2026-35616

ACTION MAY BE REQUIRED for utilities using Fortinet FortiClient Endpoint Management Server (EMS). Utilities that outsource technology support may need to consult their service providers for assistance with remediation actions.

Summary: Recent reporting from Arctic Wolf identified threat actors actively exploiting a critical improper access control vulnerability affecting Fortinet FortiClient EMS. Tracked as CVE-2026-35616 (CVSS 9.1), the vulnerability allows an unauthorized attacker to bypass API authentication and authorization controls and execute unauthorized code or commands through crafted requests.

WaterISAC added this vulnerability to its Weekly Vulnerabilities to Prioritize post on April 9.

Analyst Note: Arctic Wolf noted threat actors are exploiting the vulnerability to abuse FortiClient EMS management functionality and distribute a credential-stealing malware being called “EKZ Infostealer” across managed endpoints. The malware was disguised as a legitimate Fortinet endpoint update and deployed through trusted EMS workflows, allowing attackers to leverage the organization’s own endpoint management infrastructure to spread malicious code.

Fortinet has released hotfixes for affected versions and notes that FortiClient EMS 7.4.7 and later versions remediate the vulnerability. FortiClient EMS 7.2 is not affected. Fortinet Cloud and FortiSASE customers do not need to take action.

Affected Versions:

• FortiClient EMS 7.4.5 – install hotfix by following these instructions.
• FortiClient EMS 7.4.6 – install hotfix by following these instructions.

WaterISAC strongly encourages members to review Fortinet’s advisory, determine whether FortiCloud EMS is deployed within their environment, and upgrade affected systems immediately.

Additional Reading:

• Fortinet PSIRT Advisory FG-IR-26-099
• FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer