TL;DR: CVE-2026-35616 is a critical (CVSS 9.1) FortiClient EMS API authentication bypass that lets unauthenticated attackers run code on the management server. Active exploitation began in late March 2026, Fortinet patched on April 4, and in May 2026 Arctic Wolf observed attackers using the bug to deliver a fake "Fortinet patch" that actually installs EKZ Infostealer via PowerShell. For NC small businesses, the action items are simple and time-sensitive: patch FortiClient EMS now, restrict port 8013, verify any Fortinet update through official channels only, and confirm EDR is actually catching post-exploit PowerShell behavior.
Key takeaway: When the attacker can disguise itself as the vendor's own patch, "we keep up with updates" is no longer a defense. You need verified patch sources, locked-down management ports, and behavior-based detection on the endpoint.
Running FortiClient EMS in your environment? Preferred Data Corporation can verify your patch level, harden the EMS server, and confirm endpoint detection on the same day. Call (336) 886-3282 or request an emergency Fortinet review.
What is CVE-2026-35616 and why is it critical?
CVE-2026-35616 is an improper access control flaw in FortiClient Enterprise Management Server (EMS) that lets an unauthenticated attacker bypass API authentication and execute unauthorized commands. The CVSS score is 9.1, and the issue is tracked under CWE-284 (Improper Access Control). The NIST National Vulnerability Database confirms the rating, and Arctic Wolf documents active in-the-wild exploitation in May 2026.
Three facts make this a top-priority issue for SMBs:
- Unauthenticated attack. No stolen credential or phishing click is required. A crafted HTTP request to an exposed EMS server is enough.
- High blast radius. A compromised EMS server gives the attacker the ability to push endpoint configurations, manipulate policies, and pivot deeper into the environment, according to watchTowr Labs.
- Confirmed in CISA KEV. CISA and Fortinet have both confirmed exploitation in the wild, which carries federal patching urgency and is increasingly tied to cyber insurance reviews.
For NC small businesses using FortiClient EMS to manage endpoints across one or many locations, this is a do-it-today issue, not a sprint backlog item.
How are attackers using CVE-2026-35616 right now?
Attackers are weaponizing the vulnerability with a phishing-grade twist: they disguise the payload as the patch itself. According to Arctic Wolf research and Help Net Security, the May 2026 campaign chains the EMS auth bypass with a malicious executable that masquerades as a legitimate Fortinet endpoint update. The fake "patch" is silently executed through PowerShell and drops the EKZ Infostealer, which targets browser-stored credentials, cookies, password manager databases, and crypto wallets.
| Attack stage | What it looks like | Why it matters for SMBs |
|---|---|---|
| Initial access | Unauth API call to EMS (port 8013) | No user interaction needed |
| Payload delivery | Fake "Fortinet endpoint update" | Bypasses staff vigilance, looks legitimate |
| Execution | PowerShell-launched executable | Often whitelisted on SMB endpoints |
| Goal | EKZ Infostealer drops, harvests credentials | Fuels follow-on extortion and SaaS takeover |
The combination matters because SMB staff are explicitly trained to "patch when the vendor says patch." That trust is what this attack monetizes.
Who is at risk and what is the SMB exposure?
Any NC small business running FortiClient EMS (especially with the management web/API port reachable from outside its trusted network) is in the immediate blast zone. Even fully internal deployments are at risk if an attacker has any foothold, because EMS sits at the policy-and-control layer for every managed endpoint. Security Affairs and eSecurity Planet report widespread scanning following Fortinet's April 4, 2026 advisory.
The SMB-specific exposure stacks:
- Lateral movement at scale. Compromising EMS can mean compromising every endpoint EMS manages.
- Credential theft fuels the next breach. EKZ Infostealer harvests credentials that get sold for downstream ransomware and SaaS takeover, including the kind of session-cookie theft that bypasses MFA.
- Insurance and CMMC exposure. Cyber insurers and DoD CMMC reviewers now expect documented patching of CISA KEV entries, and missed entries are a common claim-denial trigger.
- Regional impact. Many Piedmont Triad and Charlotte-area manufacturers and professional firms run Fortinet stacks because of price/performance, which means the regional exposure is meaningful, not theoretical.
Quotable definition: EKZ Infostealer is a credential-stealing malware family that targets browser-stored secrets, cookies, password manager files, and wallet data on Windows endpoints, and was observed in May 2026 being delivered via a fake Fortinet patch tied to CVE-2026-35616.
What should an NC small business do this week?
Treat this as an emergency change with a five-step playbook, in order. Most NC SMBs can complete the high-risk steps in a single business day.
- Patch FortiClient EMS now. Apply the fixed version per Fortinet's PSIRT advisory. Confirm version post-patch, not just that the update ran.
- Restrict port 8013 (and the EMS management UI). Allow only trusted internal IPs or VPN-only access. No public exposure of the management interface.
- Verify the source of any "Fortinet update" your team sees. Anything outside FortiManager or signed Fortinet channels gets quarantined until validated. Train help desk and admins to expect the fake-patch lure.
- Hunt for compromise before declaring success. Look for unexpected PowerShell child processes from FortiClient or EMS contexts, unusual outbound traffic from the EMS server, new admin accounts, and EKZ Infostealer indicators flagged by your EDR/MDR vendor.
- Confirm EDR/MDR coverage is behavior-based. Signature-only AV will miss the PowerShell-loaded payload. EDR/MDR catching unusual process trees is the difference between "blocked" and "breached."
Need this done today, not next sprint? Call (336) 886-3282 or contact Preferred Data Corporation for an emergency Fortinet review across firewall, EMS, and endpoint.
Why is this a managed security problem, not a patch-once problem?
Because the next CISA KEV entry will arrive before you finish writing the post-mortem on this one. The pattern across 2025-2026 is consistent: vendor edge and management systems (Fortinet, SonicWall, Citrix, VPN appliances) are now the highest-paying attack surface, and unauthenticated bugs land in active exploitation within days of disclosure. Acrisure's 2026 small business threat outlook and Sandstone Insurance both put rapid patching and edge hardening at the top of the SMB 2026 priority list.
For a Piedmont Triad small business, the math is simple. A single overlooked KEV entry can be the access vector for a ransomware event that costs millions. A managed program that patches, hardens, and monitors edge appliances on a 24/7 cycle is a small fraction of that loss and is exactly the kind of control cyber insurers now require. Preferred Data Corporation has delivered that managed protection to North Carolina small businesses for over 37 years, from our High Point headquarters and on-site across the Piedmont Triad, Charlotte, Greensboro, Raleigh, and Winston-Salem.
PDC supports this work through managed cybersecurity, managed IT services, and network and infrastructure.
Frequently Asked Questions
Is CVE-2026-35616 still being exploited?
Yes. Arctic Wolf and Help Net Security confirmed active exploitation as recently as May 2026, with the EKZ Infostealer fake-patch campaign continuing after Fortinet's April 4 advisory. CISA lists the CVE in its Known Exploited Vulnerabilities catalog, which makes timely patching a federal requirement for any agency-adjacent business and a strong expectation for cyber insurers.
We patched, but how do we know we were not already breached?
Hunt for indicators of compromise before declaring victory. The high-value signals are unexpected PowerShell processes spawned from FortiClient or EMS, new admin accounts or scheduled tasks on the EMS server, outbound connections from EMS to unfamiliar IPs, and EDR/MDR alerts matching EKZ Infostealer behavior. If you do not have an EDR/MDR product with retrospective hunting, a managed partner can run a targeted compromise assessment in hours, not weeks.
Will EDR alone stop EKZ Infostealer?
A modern, behavior-based EDR or MDR will typically catch the PowerShell-loaded EKZ payload because the process tree is suspicious even if the binary is novel. Legacy signature-only AV will frequently miss it. The combination that works for SMBs is EDR/MDR with 24/7 monitoring plus disciplined patching and an enforced no-side-channel-patch policy.
How does this affect cyber insurance?
Most 2026 SMB cyber insurance policies require documented patching of CISA KEV entries, EDR/MDR coverage, MFA on management interfaces, and a written incident response plan. CVE-2026-35616 is exactly the kind of issue an underwriter will ask about at renewal, and a missed patch is a common path to a denied claim, per Velocity Technology and Fairdinkum 2026 reporting.
Are we exposed even if our EMS is internal-only?
Yes, if any attacker can get a foothold via phishing, an exposed RDP, or a separate vulnerable edge appliance. Internal-only does not equal safe when EMS sits at the control layer for every managed endpoint. Restrict port 8013 to trusted admin networks, enforce MFA on the management UI, and segment EMS away from general user VLANs.
Related Resources
- Managed Cybersecurity Services for NC Businesses - 24/7 monitoring and patch governance
- Managed IT Services for NC Businesses - Patch, harden, monitor, recover
- Network and Infrastructure Services - Edge appliance hardening and segmentation
- Cyber Insurance Premium Hike Defense Guide - Meet 2026 underwriting expectations
- SonicWall and Fortinet Firewall Vulnerability Crisis - Edge appliance defense
- Contact Preferred Data Corporation - Emergency Fortinet review and remediation