Week in Review: Infostealer Dropped via FortiClient EMS Flaw, Exploited Trend Micro Apex One Flaw
This week's roundup covers active exploitation of FortiClient EMS and Trend Micro Apex One vulnerabilities, a high-severity SharePoint RCE patch, and a LinkedIn-themed phishing campaign abusing Adobe's A/B testing platform.
This week's cybersecurity news cycle was dominated by two actively exploited vulnerabilities: a FortiClient Enterprise Management Server (EMS) flaw being used to drop infostealer malware, and a Trend Micro Apex One vulnerability that has drawn a CISA warning. Both require urgent patching to prevent data theft and further compromise.
The FortiClient EMS vulnerability, tracked as CVE-2026-35616, is an improper access control flaw in the centralized management platform used by IT admins to deploy and monitor FortiClient endpoint security software. Attackers are exploiting this bug to deliver a broad-spectrum infostealer to enterprise computers. The malware, identified as EKZ Infostealer, targets credentials and sensitive data, posing a significant risk to organizations that have not yet patched their FortiClient EMS instances.
Separately, the Trend Micro Apex One platform is under active exploitation via a relative directory path traversal vulnerability, CVE-2026-34926. Trend Micro confirmed that this flaw has been used in zero-day attacks, and CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to secure their systems. Apex One is a widely deployed endpoint protection solution, making this a high-priority issue for enterprise security teams.
Microsoft also released patches for a high-severity remote code execution vulnerability in SharePoint, CVE-2026-45659. The bug affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, and may be exploited in low-complexity attacks. Organizations running any of these versions should apply the updates immediately to prevent potential breaches.
In the phishing realm, a new campaign is targeting professionals with fake LinkedIn business emails that abuse Adobe's A/B testing platform. The attack begins with an email that appears to be a routine business inquiry, complete with a signed contract for review. This technique leverages a trusted service to evade detection, highlighting the growing sophistication of social engineering attacks.
Other notable stories this week include a five-stage exploit chain in Zapier that turned a free account into write access on internal packages, and new research from Cisco showing that frontier AI models collapse under multi-turn attacks, revealing gaps in safety benchmarks. The Verizon 2026 Data Breach Investigations Report also provided valuable insights, analyzing over 31,000 security incidents across 145 countries.
As always, security leaders are urged to prioritize patching for actively exploited vulnerabilities and to remain vigilant against evolving phishing tactics. The convergence of infostealer campaigns and zero-day exploits underscores the need for robust vulnerability management and user awareness training.