CVE-2026-35616 in Fortinet FortiClient EMS is confirmed actively exploited in malware deployment campaigns delivering EKZ, a previously undocumented infostealer that harvests browser credentials, session cookies, and payment card data via the legitimate FortiClient VPN software update mechanism. The EPSS score of 0.4117 places this in the 97th percentile for exploitation probability, and Fortinet released a patch in April 2026. Two source items cover this CVE; SCC-CVE-2026-0236 contains the more technically detailed analysis and should be treated as the primary reference.