Cybercriminals Exploit FortiClient EMS Vulnerability to Spread Spyware

Cybersecurity experts have uncovered a large-scale campaign in which attackers exploit a vulnerability in FortiClient EMS to distribute a new malware strain, EKZ. This threat is designed to steal credentials and other sensitive information from infected systems.

The vulnerability CVE-2026-35616 affects Fortinet’s enterprise client management servers and allows authentication bypass. After successful exploitation, attackers gain the ability to execute arbitrary code on target systems, paving the way for malware deployment. Experts note that the attacks are targeted and focus on organizations using FortiClient EMS for endpoint security management.

The EKZ malware operates stealthily and can collect data from browsers, system files, and other sources. After harvesting information, it transmits it to attackers' command-and-control servers. Fortinet has already released patches to address the vulnerability, but many companies have yet to update their systems, leaving them vulnerable to attacks.

Experts recommend administrators urgently install security updates and conduct system audits for potential compromises. Special attention should be given to monitoring network traffic and reviewing logs for suspicious activity.