Attackers Exploit CVE-2026-35616 in FortiClient EMS to Deploy EKZ Infostealer Disguised as a Fortinet Patch
Arctic Wolf found attackers abusing a critical 9.8-CVSS FortiClient EMS authentication bypass to silently push EKZ Infostealer to every managed endpoint via legitimate VPN scripting workflows.
Overview
Researchers at Arctic Wolf have identified a campaign in which attackers exploited a critical authentication bypass in Fortinet’s FortiClient Endpoint Management Server to silently deliver credential-stealing malware to every endpoint under management — disguised as a legitimate Fortinet patch update. The disclosure, published by Arctic Wolf on May 27, 2026, marks a new phase of exploitation for CVE-2026-35616, a flaw that was first detected in the wild on March 31 and added to the CISA Known Exploited Vulnerabilities catalog on April 6.
What We Know
The Vulnerability
CVE-2026-35616 is an improper access control flaw in FortiClient EMS versions 7.4.5 and 7.4.6. According to NVD, which carries the Fortinet-assigned score, the vulnerability has a CVSS base score of 9.8 (Critical), with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The official description reads: “A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” Versions on the 7.2 branch and earlier are not affected, according to watchTowr, whose Attacker Eye sensors first detected exploitation on March 31, before Fortinet’s advisory was published on April 4.
FortiClient EMS is a centralized management platform used by enterprises to administer endpoint security policies, VPN configurations, and compliance settings across fleets of FortiClient-managed devices. The management port is 8013. According to CyberScoop, nearly 2,000 publicly exposed FortiClient EMS instances were identified by The Shadowserver Foundation at the time of the April disclosure.
The Attack Method
As documented by Arctic Wolf, threat actors exploited the flaw to bypass API authentication: “By bypassing API authentication and interacting with EMS functionality in a privileged context, threat actors were able to modify management configuration and push malicious scripts for execution on managed endpoints.”
According to Help Net Security, once inside, the requests were “processed as if they were legitimate administrative actions.” Attackers modified the Remote Access Profile and injected malicious PowerShell scripts into endpoint policies triggered by FortiClient’s legitimate on_connect feature — code that executes automatically whenever a VPN tunnel is established, as CyberSecurityNews reported. The malicious scripts were staged as GUID-named .cmd files in C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts\.
The execution chain runs: fortitray.exe or ipsec.exe → cmd.exe → powershell.exe → the malicious payload, which is delivered as a file named FortiEndpoint_Patch.exe — crafted to look like an authorized Fortinet endpoint update, Arctic Wolf found. The initial login events to the EMS server originated from Tor exit nodes, including IP addresses 185.220.101.15 and 192.42.116.14.
EKZ Infostealer Capabilities
The payload, designated EKZ Infostealer by Arctic Wolf, is compiled with MinGW/GCC and arrives as a 4,019,070-byte executable. It targets credentials stored in Chromium-based browsers — including Chrome and Edge — as well as Firefox and other Gecko-based browsers such as Tor Browser, according to Help Net Security. Stolen data includes saved passwords, session cookies, autofill entries (credit card numbers, addresses, phone numbers), and encrypted password vaults, which the malware unlocks via Chromium’s Elevation Service.
CyberSecurityNews quoted Arctic Wolf on the significance of the cookie theft: “stolen session cookies are particularly dangerous, as they can enable account takeover even where MFA protections are in place.”
Stolen data is written to a local file named log.txt before being exfiltrated via HTTP POST to a command-and-control server at 83.138.53.110, a virtual private server, Arctic Wolf reported. The remote payload is downloaded from hxxp://83.138.53.110/dl/p.exe.
Timeline and Federal Response
watchTowr registered the first exploitation attempts on March 31, 2026. CyberScoop reported that exploitation ramped up significantly after the April 6 hotfix announcement, and that the spike intensified around Easter holiday weekend. watchTowr CEO Benjamin Harris described the timing as likely not coincidental, noting that holiday weekends represent opportunity for attackers.
Fortinet published its advisory, referenced as FG-IR-26-099, on April 4, 2026. CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities catalog on April 6, setting an April 9 deadline for federal civilian executive branch agencies to apply mitigations, per NVD. The May 2026 campaign observed by Arctic Wolf shows that exploitation has continued well beyond the federal remediation window.
Context: The Second FortiClient EMS Flaw in Weeks
As watchTowr noted, CVE-2026-35616 is the second unauthenticated remote code execution vulnerability in FortiClient EMS disclosed within a short period. The Machine Herald previously reported on CVE-2026-21643, a pre-authentication SQL injection introduced during a database refactoring in version 7.4.4, which was also under active exploitation. Ironically, organizations that patched CVE-2026-21643 by upgrading to version 7.4.5 or 7.4.6 moved directly onto the versions vulnerable to CVE-2026-35616.
What We Don’t Know
The threat actors behind the May 2026 EKZ Infostealer campaign have not been attributed to any named group. Arctic Wolf’s report did not identify specific victim organizations or sectors. The total number of endpoints affected by the campaign is unknown. It is also unclear whether the FortiEndpoint_Patch.exe lure was used in earlier exploitation waves or is specific to the May 2026 activity.
Remediation
Fortinet has released emergency out-of-band hotfixes for FortiClient EMS 7.4.5 and 7.4.6 that can be applied without system downtime, with a permanent fix included in the upcoming 7.4.7 release, per watchTowr. Help Net Security reported that remediation steps for potentially compromised environments include password resets across affected accounts, session revocation, payment card cancellation or reissuance where autofill data may have been stored, and log review for certificate errors and unauthorized account creation.