FortiClient EMS Auth Bypass CVE-2026-35616 Actively Exploited to Deploy EKZ Credential Stealer

Threat actors are actively exploiting CVE-2026-35616, an authentication bypass in FortiClient Enterprise Management Server, to deliver a previously undocumented credential stealer named EKZ. Arctic Wolf found the campaign abused trusted endpoint management infrastructure to push malware across managed endpoints, with EKZ disguised as a legitimate Fortinet endpoint component to evade detection. Fortinet released hotfixes in April; any unpatched EMS deployments should be treated as potentially compromised. Organizations should audit endpoint management servers for unauthorized processes and rotate credentials on affected systems.