Your endpoint manager just delivered malware to every device it manages.
Your endpoint manager just delivered malware to every device it manages.
That is not a hypothetical. It happened this week.
CVE-2026-35616 is a pre-authentication API bypass in FortiClient Endpoint Management Server (EMS). CVSS 9.1. Actively exploited.
Here is what the attack looks like: the attacker authenticates to your EMS without credentials, takes control of the management plane, and pushes a PowerShell command to every managed endpoint simultaneously. The payload â the EKZ infostealer â arrives disguised as a legitimate Fortinet firmware update. Endpoints execute it silently because it came from the system they trust.
EKZ then steals Chrome and Firefox credentials (including encrypted password bypass), credit card data, session cookies that bypass MFA, and phone numbers. Everything gets exfiltrated over HTTP. All from a single unauthenticated request to your management server.
The uncomfortable part: endpoint management platforms are trusted at the kernel level by every device they manage. One compromise equals mass compromise. No lateral movement required. No per-device exploit chain. You pushed the malware yourself â the attacker just used your infrastructure to do it.
Fortinet confirmed active exploitation in early April and patched in FortiClient EMS 7.4.7. Emergency hotfixes were issued for 7.4.5 and 7.4.6. Anything below 7.4.5 is unpatched and actively targeted.
Three things to verify now:
Check your FortiClient EMS version. If you are not on 7.4.7, patch immediately â emergency hotfixes are available going back to 7.4.5.
Audit PowerShell execution history on managed endpoints for the past 60 days. Look for FortiClient-named executables dropped via PowerShell that do not match your known update schedule.
Restrict EMS network access. The management API should not be reachable from the internet or untrusted internal segments. If it is, isolate it now.
This attack pattern â management infrastructure as mass delivery vehicle â appeared with Intune/Microsoft MDM in March 2026. Now it is Fortinet EMS. The management layer is the highest-value target in your environment.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
