Back

Exploitation of FortiClient EMS Flaw CVE-2026-35616 Leads to EKZ Infostealer Deployment

Severity: High (Score: 72.9)

Sources: Technadu, Bleepingcomputer, arcticwolf.com

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: forticlient, infostealer, cve-2026-35616, hackers, exploiting, management, server

Severity indicators: flaw, malware, stealer, infostealer, CVE:CVE-2026-35616

Summary

Hackers are exploiting CVE-2026-35616, an authentication bypass vulnerability in FortiClient EMS, to deploy EKZ Infostealer malware disguised as a legitimate Fortinet patch. This flaw allows unauthenticated attackers to execute arbitrary code via specially crafted requests. The attacks leverage FortiClient-managed VPN scripting workflows, initiating with fortitray.exe or ipsec.exe to launch cmd.exe, which then executes PowerShell commands to run the malware. The EKZ Infostealer targets multiple web browsers, extracting sensitive data such as passwords and credit card information. Fortinet confirmed the exploitation in early April 2026 and released emergency patches for affected versions. CISA has mandated federal agencies to secure their systems against this threat. Arctic Wolf has reported ongoing attacks and recommends monitoring for specific certificate-authentication anomalies as indicators of compromise. Key Points: • CVE-2026-35616 is being actively exploited to deploy EKZ Infostealer malware. • Attackers leverage FortiClient EMS vulnerabilities to bypass authentication and execute malicious scripts. • Fortinet has released emergency patches, and CISA has ordered federal agencies to secure their systems.

Detailed Analysis

**Impact** Approximately 2,000 internet-exposed FortiClient EMS instances are at risk globally, affecting organizations using versions 7.4.5 and 7.4.6. The exploitation leads to deployment of the EKZ infostealer, which compromises credentials, credit card details, addresses, phone numbers, and session cookies from multiple browsers, including Chromium-based and Firefox. This data theft threatens account security, including those protected by multi-factor authentication, potentially impacting sectors relying on Fortinet endpoint security solutions. **Technical Details** The attack exploits CVE-2026-35616, an improper access control vulnerability allowing unauthenticated remote attackers to bypass API authentication and execute arbitrary commands on FortiClient EMS. Attackers modify EMS configurations and VPN scripting workflows to run malicious batch scripts via fortitray.exe or ipsec.exe, which invoke PowerShell to deploy EKZ Infostealer disguised as a Fortinet patch. EKZ is a MinGW-compiled credential stealer targeting browsers to extract and exfiltrate sensitive data to attacker-controlled VPS over HTTP. Indicators include log entries with "Certificate not found in request header" followed by "Certificate user: fortinet-ca2 … successfully updated." **Recommended Response** Apply Fortinet emergency hotfixes for FortiClient EMS versions 7.4.5 and 7.4.6 immediately. Monitor logs for certificate-authentication anomalies and unexpected Remote Access Profile configuration changes. Investigate suspicious administrative activities such as new accounts, logins from unfamiliar IPs (e.g., Tor or VPS addresses), and configuration modifications. Deploy detection rules targeting the EKZ execution chain involving fortitray.exe, cmd.exe, and PowerShell, and block communications to known attacker-controlled VPS infrastructure.

Source articles (4)

  • FortiClient EMS Exploited via CVE-2026-35616 for EKZ Infostealer Deployment — Technadu · 2026-05-28
    In May 2026, Arctic Wolf observed a threat cluster actively exploiting CVE-2026-35616 against FortiClient Endpoint Management Server (EMS) deployments to deliver an infostealer disguised as a Fortinet…
  • Hackers exploit FortiClient EMS flaw to push infostealer malware — Bleepingcomputer · 2026-05-28
    Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. The attacker…
  • Cve 2026 35616 — arcticwolf.com · 2026-05-28
  • Forticlient Ems Exploited Via Cve 2026 35616 To Deliver Ekz Infostealer Disguised As A Fortinet Patch — arcticwolf.com · 2026-05-28

Timeline

  • 2026-04-04 — CVE-2026-35616 published: Fortinet disclosed an authentication bypass vulnerability in FortiClient EMS, allowing remote code execution.
  • 2026-04-06 — CVE-2026-35616 added to CISA KEV: CISA included CVE-2026-35616 in its Known Exploited Vulnerabilities catalog due to active exploitation.
  • 2026-04-20 — Emergency patches released by Fortinet: Fortinet released hotfixes for versions 7.4.5 and 7.4.6 of FortiClient EMS to address the critical vulnerability.
  • 2026-05-28 — Ongoing attacks reported by Arctic Wolf: Arctic Wolf observed active exploitation of CVE-2026-35616 to deploy EKZ Infostealer, advising organizations to monitor for anomalies.
  • Recent — CISA mandates federal agencies to secure systems: CISA ordered federal agencies to secure their FortiClient EMS instances against the ongoing exploitation of CVE-2026-35616.

CVEs

  • CVE-2026-35616

Related entities

  • Malware (Attack Type)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • EKZ Infostealer (Malware)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.003 - Windows Command Shell (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • FortiClient (Platform)
  • FortiClient EMS (Platform)
  • Fortigate (Platform)
  • IPSec (Platform)
  • Windows (Platform)
  • Command Prompt (Tool)
  • PowerShell (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed