Hackers exploit FortiClient EMS flaw to push infostealer malware

Attackers are actively exploiting CVE-2026-35616 in FortiClient EMS to push an EKZ infostealer by abusing unauthenticated endpoint APIs and VPN scripting workflows; the payload runs via fortitray/Command Prompt and PowerShell, harvests browser-stored credentials, cards, and cookies, and exfiltrates data to an attacker-controlled VPS. Fortinet released emergency hotfixes, CISA ordered federal mitigations, and observers reported thousands of exposed EMS instances, with detection guidance noting log strings like "Certificate not found in request header."