Cybersecurity firm Arctic Wolf reported on May 28, 2026, that threat actors are actively exploiting a critical vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS). The flaw, identified as CVE-2026-35616, carries a high-severity CVSS score of 9.1.
Attackers leverage the previously patched vulnerability for privilege escalation to deploy credential-stealing malware. The campaign disguises these malicious payloads as legitimate Fortinet endpoint updates.
The operation abuses trusted management infrastructure to push malicious commands to connected devices. This tactic makes the attack appear as a legitimate system operation, significantly complicating detection for customers.