Critical FortiClient EMS Flaws Actively Exploited to Deploy Credential Stealers
Threat actors are actively exploiting critical vulnerabilities in Fortinet FortiClient Endpoint Management Server (EMS), including CVE-2026-35616 and CVE-2026-21643. CVE-2026-35616, a critical security flaw, was actively exploited in the wild to deploy credential-stealing malware (EKZ Infostealer), prompting an emergency patch in April 2026. CVE-2026-21643 is also mentioned in active exploitation campaigns.
Signal context
First seen: Mar 30, 2026
Last updated: Jun 19, 2026
Status: Public signal
Key points
- CVE-2026-35616 (CVSS 9.1): Critical security flaw in FortiClient EMS actively exploited.
- Exploitation used to deploy EKZ Infostealer malware.
- Emergency patch released in April 2026.
Signal analysis
BetaIt helps compare this signal with other published signals without treating the labels as final determinations.
Likely country: Location not provided
Watch ransomware, endpoint compromise and business interruption exposure.
- Source type: outside the affected organization
Impact area: Confidentiality
Likely asset: User or customer data, Server or cloud data store
- 1 signal in the same sector
- 22 signals with the same likely impact area
- 3 signals linked to this organization/domain
External sources
https://www.thehackernews.com/2026/06/attackers-exploit-three-fortinet.htmlhttps://www.thehackernews.com/2026/06/attackers-exploit-three-fortinet.htmlPublic source from thehackernews.com.
https://www.bleepingcomputer.com/news/security/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks/https://www.bleepingcomputer.com/news/security/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks/Public source from bleepingcomputer.com.
Related signals
Grouped by why the signal is relevant.
Active Exploitation of Multiple Critical FortiSandbox Vulnerabilities
Threat actors are actively exploiting multiple critical vulnerabilities in Fortinet FortiSandbox products, including CVE-2026-39813 (path traversal), CVE-2026-39808 (OS command injection), and CVE-2026-25089 (OS command injection). These flaws could allow unauthenticated attackers to bypass authentication, execute unauthorized code or commands, and escalate privileges. Fortinet released patches for these vulnerabilities in April and June 2026. Exploitation has been observed from multiple sources across various countries.
FortiCloud SSO Authentication Bypass Vulnerabilities Actively Exploited
Multiple critical authentication bypass vulnerabilities related to FortiCloud Single Sign-On (SSO) have been actively exploited in Fortinet products. CVE-2026-24858, disclosed in January 2026, allowed malicious actors with a FortiCloud account to log in to devices registered to other users if FortiCloud SSO was enabled. This led to unauthorized firewall configuration changes, account creation, and VPN configuration changes. Earlier, CVE-2025-59718 and CVE-2025-59719 (December 2025) allowed unauthenticated attackers to bypass SSO login via crafted SAML messages. Attacks exploiting these flaws have been observed creating rogue accounts and stealing firewall configuration data.
Ultrahuman Data Breach Exposes Customer Wellness Data
Wearable health-tech startup Ultrahuman confirmed a data breach where hackers accessed customer wellness data through credentials stolen from an employee's malware-infected laptop. Approximately 0.1% of its user base was affected.
Marquis Software Solutions Ransomware Attack Exposes 672,000 Individuals
A ransomware attack on fintech firm Marquis led to the theft of sensitive personal and financial data, impacting hundreds of thousands of individuals.
Cl0p Ransomware Group Exploits Oracle E-Business Suite Zero-Day
The Cl0p ransomware group launched a large-scale extortion campaign by exploiting a zero-day vulnerability (possibly CVE-2025-61882) in Oracle's E-Business Suite (EBS). This led to critical data breaches for dozens of large corporations, with over 100 companies allegedly impacted. The exploitation activity was observed as early as August 9, 2025, weeks before a patch was available, and suspicious activity dated back to July 10, 2025. The threat actors exfiltrated a significant amount of data from impacted organizations and sent high-volume emails to executives demanding payment.
Oracle Affected by FortiBleed Campaign
Oracle was identified as one of over 22,000 corporate domains affected by the FortiBleed campaign. A Russian-speaking criminal group compromised Fortinet firewall and VPN devices globally, exfiltrating credentials and potentially gaining full network access.