Hackers are exploiting a critical authentication bypass vulnerability in FortiClient EMS (CVE-2026-35616) to deliver a credential-stealing malware known as EKZ, disguised as a legitimate Fortinet update. This attack allows unauthorized remote execution of commands, leading to the exfiltration of sensitive user data from compromised endpoints.
The critical insight for a cybersecurity professional from this content is the active exploitation of the FortiClient EMS flaw (CVE-2026-35616) which allows remote code execution and is being used to push an infostealer malware disguised as a Fortinet update. To mitigate this risk, ensure that emergency hotfixes for versions 7.4.5 and 7.4.6 are applied, monitor for certificate-authentication anomalies, and scrutinize unexpected changes in Remote Access Profile configurations as these are indicators of potential exploitation.