Hackers exploit FortiClient EMS flaw to push infostealer malware
Hackers exploit FortiClient EMS authentication bypass to deliver EKZ credential stealer malware.
Summary
Attackers are exploiting CVE-2026-35616, a critical authentication bypass vulnerability in Fortinet's FortiClient Enterprise Management Server, to deploy the EKZ infostealer malware. The exploit chains an improper access control flaw with VPN scripting workflows to execute malicious payloads disguised as legitimate Fortinet updates, exfiltrating browser credentials and sensitive data. Fortinet released emergency hotfixes in April 2026, and CISA ordered federal agencies to patch; Arctic Wolf has now documented active exploitation campaigns.
Full text
Hackers exploit FortiClient EMS flaw to push infostealer malware By Bill Toulas May 28, 2026 01:25 PM 0 Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. The attacker disguised the malware as an update for Fortinet endpoints and executed it through VPN scripting workflows managed by FortiClient. The exploited critical vulnerability is an improper access control flaw that allows unauthenticated remote attackers to execute arbitrary code or commands via specially crafted requests. Fortinet confirmed in early April that it was being exploited and released emergency hotfixes for versions 7.4.5 and 7.4.6 of the product. CISA reacted quickly to the malicious activity and ordered federal agencies to secure their instances by the end of that week, while the internet security watchdog group The Shadowserver Foundation reported at the time that it was seeing 2,000 internet-exposed EMS instances. Earlier this month, cybersecurity company Arctic Wolf observed attacks leveraging the vulnerability to deliver the EKZ infostealer. The researchers note that the intrusion begins with abusing endpoint APIs to perform administrative actions without authentication. The attacker then modifies the EMS configuration and VPN policies to introduce the execution of malicious scripts. Seconds after endpoints established an IPsec tunnel to a FortiGate firewall, the legitimate fortitray.exe launched malicious batch scripts through Command Prompt. Those scripts executed a base64-encoded PowerShell payload that downloaded and ran malware disguised as a Fortinet patch, then exfiltrated data to an attacker-controlled VPS over HTTP. Malicious PowerShell codeSource: Arctic Wolf “Rather than relying on a generic malware lure, the payload was presented as a Fortinet endpoint update and executed through FortiClient-managed VPN scripting workflows,” reads the report from Arctic Wolf. “On affected endpoints, FortiClient components launched command scripts that invoked PowerShell, downloaded a credential stealer, executed it silently, and exfiltrated harvested browser data before removing local artifacts.” The downloaded payload, tracked as EKZ Infostealer, features fairly standard information-stealing functionality. It targets both Chromium-based and Firefox web browsers and extracts stored data to text files while bypassing encrypted password protections. Stealer executes without argumentsSource: Arctic Wolf The malware targets credentials, credit card details, addresses, phone numbers, and cookies, which provide access to accounts protected by multi-factor authentication without loging it. According to Arctic Wolf, one indication of an exploitation attempt in attacks delivering the EKZ infostealer is the presence in the logs of the line "Certificate not found in request header." In lab tests, the error was followed in seconds by another entry: Certificate user: fortinet-ca2 … successfully updated As such, the researchers recommend defenders look for certificate-authentication anomalies and unexpected changes to Remote Access Profile configurations. Any suspicious administrative activity, such as new accounts, logins with an unfamiliar origin (Tor, VPS IP addresses), or actions leading to configuration changes, should be considered red flags. Arctic Wolf's report provides extensive detection guidance that could help organizations prevent the observed attacks. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: Hackers bypass SonicWall VPN MFA due to incomplete patchingHackers exploit auth bypass flaw in Burst Statistics WordPress pluginCritical cPanel and WHM bug exploited as a zero-day, PoC now availableCritical Nginx UI auth bypass flaw now actively exploited in the wildCISA orders feds to patch exploited Fortinet EMS flaw by Friday
Indicators of Compromise
- cve — CVE-2026-35616
- malware — EKZ Infostealer
- mitre_attack — T1078.001
- mitre_attack — T1555