Back

FortiClient EMS Vulnerability Exploited to Deploy EKZ Infostealer Malware

Severity: High (Score: 72.9)

Sources: Bleepingcomputer, Technadu, Feeds2.Feedburner, arcticwolf.com

Published: 2026-05-28 · Updated: 2026-05-29

Keywords: forticlient, infostealer, cve-2026-35616, hackers, exploiting, management, server

Severity indicators: flaw, malware, stealer, infostealer, CVE:CVE-2026-35616

Summary

Hackers are exploiting CVE-2026-35616, an authentication bypass vulnerability in FortiClient EMS, to deliver EKZ Infostealer malware disguised as a legitimate Fortinet update. This flaw allows unauthenticated attackers to execute arbitrary code through VPN scripting workflows. The attacks leverage FortiClient components to launch malicious scripts that download and execute the infostealer, which targets credentials and sensitive data from multiple web browsers. Arctic Wolf reported that the malware exfiltrates data to an attacker-controlled VPS, posing a significant risk to affected organizations. Fortinet released emergency hotfixes for versions 7.4.5 and 7.4.6 in response to the exploitation. CISA has mandated federal agencies to secure their systems against this threat. The ongoing exploitation of this vulnerability has been confirmed by multiple cybersecurity firms. Key Points: • CVE-2026-35616 is an authentication bypass vulnerability in FortiClient EMS. • The EKZ Infostealer targets credentials from multiple web browsers and exfiltrates sensitive data. • Fortinet has issued emergency patches, and CISA has ordered federal agencies to secure their systems.

Detailed Analysis

**Impact** Organizations using FortiClient Enterprise Management Server (EMS) versions 7.4.5 and 7.4.6 are affected globally, with at least 2,000 internet-exposed EMS instances reported. The EKZ infostealer targets enterprise endpoints, stealing credentials, credit card details, addresses, phone numbers, and browser cookies, including those protected by multi-factor authentication. This leads to potential unauthorized access to sensitive accounts and data exfiltration, impacting operational security and data confidentiality across sectors relying on FortiClient EMS for endpoint management. **Technical Details** Attackers exploit CVE-2026-35616, an improper access control vulnerability in FortiClient EMS, allowing unauthenticated remote code execution via crafted API requests. The attack chain abuses FortiClient-managed VPN scripting workflows to execute malicious batch scripts through fortitray.exe or ipsec.exe, which invoke PowerShell to deploy EKZ Infostealer disguised as a Fortinet patch. EKZ targets Chromium- and Firefox-based browsers, extracting stored credentials and session data, then exfiltrates it over HTTP to attacker-controlled VPS infrastructure. Indicators include log entries with "Certificate not found in request header" followed by "Certificate user: fortinet-ca2 … successfully updated" and suspicious Remote Access Profile changes. **Recommended Response** Apply Fortinet’s emergency hotfixes for FortiClient EMS versions 7.4.5 and 7.4.6 immediately to remediate CVE-2026-35616. Monitor for certificate-authentication anomalies and unexpected modifications to Remote Access Profile configurations within EMS logs. Investigate any administrative actions from unfamiliar IP origins, including Tor or VPS addresses, and block known attacker infrastructure. Deploy detection rules targeting PowerShell execution patterns and network traffic to suspicious VPS hosts to identify and contain potential EKZ infostealer activity.

Source articles (5)

  • FortiClient EMS Exploited via CVE-2026-35616 for EKZ Infostealer Deployment — Technadu · 2026-05-28
    In May 2026, Arctic Wolf observed a threat cluster actively exploiting CVE-2026-35616 against FortiClient Endpoint Management Server (EMS) deployments to deliver an infostealer disguised as a Fortinet…
  • Hackers exploit FortiClient EMS flaw to push infostealer malware — Bleepingcomputer · 2026-05-28
    Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. The attacker…
  • New infostealer reaches enterprise devices through FortiClient EMS vulnerability — Feeds2.Feedburner · 2026-05-29
    Attackers are delivering a broad-spectrum infostealer to enterprise computers by exploiting a known vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS). “The [malicious] p…
  • Cve 2026 35616 — arcticwolf.com · 2026-05-28
  • Forticlient Ems Exploited Via Cve 2026 35616 To Deliver Ekz Infostealer Disguised As A Fortinet Patch — arcticwolf.com · 2026-05-28

Timeline

  • 2026-04-04 — CVE-2026-35616 published: Fortinet disclosed an authentication bypass vulnerability in FortiClient EMS, allowing unauthenticated access.
  • 2026-04-06 — CVE added to CISA KEV list: CISA added CVE-2026-35616 to its Known Exploited Vulnerabilities catalog due to active exploitation.
  • 2026-05-28 — Emergency hotfixes released by Fortinet: Fortinet released hotfixes for versions 7.4.5 and 7.4.6 of FortiClient EMS to address the critical vulnerability.
  • 2026-05-29 — Ongoing exploitation reported: Cybersecurity firms confirm active exploitation of CVE-2026-35616 to deploy EKZ Infostealer malware.

CVEs

  • CVE-2026-35616

Related entities

  • Malware (Attack Type)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • EKZ Infostealer (Malware)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.003 - Windows Command Shell (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • FortiClient (Platform)
  • FortiClient EMS (Platform)
  • Fortigate (Platform)
  • IPSec (Platform)
  • Windows (Platform)
  • Command Prompt (Tool)
  • PowerShell (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed