If EKZ successfully harvests credentials and session tokens from systems connected through FortiClient EMS, attackers gain the means to authenticate as legitimate users across enterprise applications — including email, cloud services, and internal platforms — without triggering password-based controls. This creates direct exposure to data theft, business email compromise, and lateral movement that could escalate to ransomware or prolonged access. Organizations in regulated industries face compounded risk: credential-based breaches routinely trigger breach notification obligations and regulatory scrutiny under data protection frameworks.
You Are Affected If
You run Fortinet FortiClient EMS version 7.4.5 or 7.4.6 in your environment
Your FortiClient EMS management interface is accessible from the internet without network-layer access controls
FortiClient VPN scripting workflows are enabled and can be triggered by unauthenticated or lightly authenticated sessions
You have not yet applied the Fortinet PSIRT-confirmed patch for CVE-2026-35616
Endpoints managed by the affected EMS instance store credentials in browser profiles accessible to the local file system
Board Talking Points
A critical flaw in our Fortinet VPN management platform is being actively exploited to steal employee login credentials and session access — giving attackers a path into our systems without needing a password.
Security teams should apply the vendor patch immediately and audit internet-facing access to this system; if patching cannot happen within 24 hours, temporary isolation of the affected server is warranted.
Without action, attackers who have already harvested credentials may maintain persistent access even after patching — making early detection and credential rotation as important as the fix itself.
PCI-DSS — EKZ is confirmed to harvest payment card data from browser storage; any environment where FortiClient EMS manages endpoints used for payment processing faces direct PCI-DSS scope implications
GDPR / regional data protection laws — session cookie and credential theft constitutes unauthorized access to personal data; organizations processing EU resident data may have breach notification obligations under Article 33 if exploitation is confirmed
