FortiClient EMS Vulnerability Exploited to Deploy EKZ Infostealer

A critical FortiClient EMS vulnerability has been exploited by threat actors to deliver a credential stealing malware known as EKZ Infostealer.

The flaw is tracked as CVE-2026-35616. It affects FortiClient Endpoint Management Server, also known as FortiClient EMS. This platform is used by organizations to manage FortiClient endpoints, security policies, VPN profiles, and related endpoint configurations from one central system.

According to reports from The Hacker News and Arctic Wolf, attackers abused this trusted management path to push malicious commands to managed endpoints. The payload was disguised as a Fortinet endpoint update, which made the activity look less suspicious at first glance.

This matters because endpoint management platforms hold a powerful position inside an organization. When attackers compromise a tool that already has permission to manage devices, they do not need to break into every endpoint one by one. They can use the management system itself as the delivery path.

What Is the FortiClient EMS Vulnerability?

The FortiClient EMS vulnerability is a critical improper access control issue. Fortinet’s advisory lists CVE-2026-35616 as critical, with a CVSSv3 score of 9.1. The attack type is unauthenticated, which means an attacker does not need valid login credentials to exploit the issue.

The vulnerability affects FortiClient EMS versions 7.4.5 through 7.4.6. Fortinet addressed the issue in FortiClient EMS 7.4.7 and later. Organizations still running the affected versions should treat this as an urgent patching priority.

The main danger is not only the vulnerability itself. The bigger risk is what attackers can do after abusing it. In this campaign, they used the flaw to modify EMS managed configuration and push malicious scripts to endpoint devices.

How Attackers Used FortiClient EMS Against Endpoints

After exploiting CVE-2026-35616, the attackers modified FortiClient EMS configurations. Reports say they changed settings related to upgrade reminders and edited Remote Access Profile configuration and endpoint policy.

This allowed them to insert a malicious script that could execute on managed endpoint devices. The attack chain used FortiClient’s own management workflow, so the execution pattern could resemble legitimate administrative activity.

Arctic Wolf observed that FortiClient related processes such as fortitray.exe or ipsec.exe launched command scripts through cmd.exe. Those scripts then triggered PowerShell commands. The PowerShell script downloaded and executed the malware payload.

That payload was named FortiEndpoint_Patch.exe. The name made it look like a legitimate Fortinet update. In reality, it was EKZ Infostealer.

What Is EKZ Infostealer?

EKZ Infostealer is a Windows credential stealing malware observed by Arctic Wolf in this campaign. It was designed to collect sensitive browser data from infected endpoints.

The malware targets Chromium based browsers such as Chrome and Microsoft Edge. It also targets Firefox and other Gecko based browsers. The stolen data may include saved passwords, cookies, autofill data, credit card details, addresses, phone numbers, and other browser stored information.

This is dangerous because browser cookies can sometimes allow attackers to reuse already authenticated sessions. In some cases, that may help them access cloud services, internal applications, or other systems without triggering a fresh MFA prompt.

The stealer itself does not appear to handle network exfiltration directly. Instead, it saves collected data into a log file. Then, the PowerShell script sends that data to attacker controlled infrastructure using HTTP POST.

Why This Attack Is Serious

This FortiClient EMS vulnerability is serious because the attackers abused a trusted endpoint management platform.

Security teams normally expect endpoint management tools to push updates, policies, scripts, and VPN configurations. That trust is exactly what made the attack more dangerous. Once the attacker could modify EMS managed configuration, every connected endpoint became a possible target.

This type of attack is different from a simple phishing email or a random malware download. The malware did not need to trick every user individually. It traveled through a management channel that organizations already rely on.

The impact can also continue after the first infection. If browser credentials or session cookies are stolen, attackers may use them for follow on access. That means the damage can move from one endpoint to cloud accounts, internal apps, email systems, developer tools, and other sensitive environments.

Signs Organizations Should Look For

Organizations running FortiClient EMS should review logs and endpoint activity carefully. Arctic Wolf noted several signs that defenders can use during investigation.

One important signal is unusual certificate authentication activity in EMS logs. Another signal is unexpected changes to Remote Access Profile configuration, especially if script execution appears in places where it was not approved.

Security teams should also look for suspicious PowerShell execution from FortiClient related processes. A concerning process chain may involve fortitray.exe or ipsec.exe launching cmd.exe, followed by PowerShell, and then a file named FortiEndpoint_Patch.exe.

On endpoints, teams should look for files staged in C:\ProgramData, including log.txt or suspicious FortiEndpoint executable files. Network logs should also be checked for HTTP traffic to suspicious infrastructure, especially direct connections to raw IP addresses used for payload download or data exfiltration.

What Organizations Should Do Now

The first step is to identify whether FortiClient EMS is used in the environment. If it is, check the installed version immediately.

Organizations running FortiClient EMS 7.4.5 or 7.4.6 should upgrade to FortiClient EMS 7.4.7 or later. Fortinet’s release notes state that version 7.4.7 is no longer vulnerable to CVE-2026-35616.

Next, restrict access to the FortiClient EMS management port. Arctic Wolf recommends limiting access to port 8013 to trusted IP ranges only. This helps reduce exposure, especially for internet facing deployments.

After patching, teams should not assume the environment is clean. They should review EMS logs, endpoint logs, EDR alerts, PowerShell history, VPN profile changes, and suspicious file creation events.

If EKZ Infostealer activity is found, credential rotation becomes critical. Browser saved passwords, cloud sessions, admin accounts, VPN credentials, service accounts, and internal application credentials may need to be reviewed or reset.

Why Patch Management Alone Is Not Enough

Patching is necessary, but it is not the full response. A patch closes the vulnerability going forward. It does not undo what attackers may have already done before the update.

That is why investigation matters. Teams should ask whether the vulnerable EMS server was reachable from untrusted networks. They should check whether any configuration changes were made. They should also verify whether endpoint scripts were pushed without approval.

If suspicious activity is confirmed, the response should include containment, forensic review, credential rotation, endpoint cleanup, and monitoring for follow on access.

Conclusion

The FortiClient EMS vulnerability CVE-2026-35616 shows how dangerous a compromised management platform can become. Attackers used a critical flaw to push malicious scripts through a trusted endpoint management path and deliver EKZ Infostealer as a fake Fortinet patch.

Organizations using FortiClient EMS should upgrade to version 7.4.7 or later, restrict management access, review logs for suspicious activity, and investigate managed endpoints for signs of credential theft.

Endpoint management tools are powerful because they control many devices at once. That same power becomes a serious risk when attackers find a way inside.Lang

Source: https://thehackernews.com/2026/05/threat-actors-exploit-critical.html