The rapid exploitation of CVE-2026-35616 in FortiClient EMS, patched by Fortinet in early April but still actively targeted, underscores an accelerating pattern where attackers prioritize central management platforms for mass endpoint compromise rather than isolated devices. Unlike isolated endpoint flaws, this unauthenticated RCE vector allows threat actors to weaponize FortiClient’s own VPN scripting and policy-push mechanisms to deploy EKZ Infostealer across entire managed fleets, harvesting browser credentials from Chrome, Edge, and Firefox via HTTP exfiltration. Arctic Wolf’s reporting correctly identifies the disguised patch delivery and PowerShell invocation but underplays the architectural risk: EMS functions as a de facto supply-chain node, granting attackers lateral control equivalent to a trusted insider. This mirrors prior Fortinet perimeter compromises, including the 2023 FortiOS SSL-VPN zero-days (CVE-2023-27997) and the 2022 FortiClient EMS issues that enabled similar remote code paths, as documented in CISA KEV entries and Mandiant’s annual threat reports. The addition to CISA’s Known Exploited Vulnerabilities catalog on April 6 signals federal urgency, yet many enterprises continue delayed patching cycles on management appliances. The observed use of legitimate workflows for malicious payloads reveals a deeper intelligence gap—adversaries are conducting pre-compromise reconnaissance of FortiClient environments to blend operations, a tactic previously seen in ransomware campaigns targeting Ivanti and SonicWall appliances. Organizations must treat EMS instances as high-value crown jewels requiring network segmentation, behavioral monitoring of script executions, and rapid hotfix adoption to disrupt this weaponization cycle.