Hackers Exploit FortiClient EMS Flaw to Deploy EKZ Infostealer

Key Takeaways

• CVE-2026-35616 is a critical 9.1 CVSS authentication bypass flaw in FortiClient EMS being actively exploited
• Attackers use the vulnerability to push the EKZ Infostealer disguised as legitimate Fortinet updates
• Organizations must update to FortiClient EMS version 7.4.7 or later immediately to stop the attack

What's Happening

Hackers are actively exploiting CVE-2026-35616, a critical authentication bypass vulnerability in FortiClient Enterprise Management Server (EMS), to deploy a new credential-stealing malware called EKZ Infostealer. The attack is particularly dangerous because the malware masquerades as a legitimate Fortinet endpoint update and executes through trusted VPN scripting workflows.

Fortinet disclosed the vulnerability in early April 2026 and released emergency hotfixes for versions 7.4.5 and 7.4.6. CISA responded immediately, ordering federal agencies to secure their systems by the end of that week. Despite these warnings, The Shadowserver Foundation reported approximately 2,000 internet-exposed EMS instances remained vulnerable.

How the Attack Works

Cybersecurity firm Arctic Wolf documented the attack chain earlier this month. The intrusion begins when attackers abuse endpoint APIs to perform administrative actions without authentication. They then modify EMS configuration and VPN policies to introduce malicious script execution.

The timing is precise. Seconds after endpoints establish an IPsec tunnel to a FortiGate firewall, the legitimate fortitray.exe process launches malicious batch scripts through Command Prompt. These scripts execute a base64-encoded PowerShell payload that downloads the malware, runs it silently, and exfiltrates stolen data to an attacker-controlled server over HTTP.

“Rather than relying on a generic malware lure, the payload was presented as a Fortinet endpoint update and executed through FortiClient-managed VPN scripting workflows. On affected endpoints, FortiClient components launched command scripts that invoked PowerShell, downloaded a credential stealer, executed it silently, and exfiltrated harvested browser data before removing local artifacts.”

— Arctic Wolf research report

The EKZ Infostealer

The EKZ Infostealer targets both Chromium-based and Firefox web browsers. It extracts stored data to text files while bypassing encrypted password protections. The malware collects credentials, credit card details, addresses, phone numbers, and session cookies.

The cookie theft is especially problematic. Stolen session cookies allow attackers to access accounts protected by multi-factor authentication without triggering login alerts. Victims may not realize their accounts are compromised because no new login event is recorded.

Why This Attack Is Hard to Detect

The campaign exploits a fundamental trust problem. Because the malware executes through the legitimate fortitray.exe process, a component administrators expect to see running, traditional endpoint detection and response (EDR) solutions struggle to flag the activity as malicious.

“The ability for an unauthenticated attacker to manipulate remote access profiles allows for a highly automated, fleet-wide distribution of malware that is extremely difficult for defenders to detect in real-time.”

— Sarah Jenkins, Lead Security Analyst at Arctic Wolf

Community discussions on r/cybersecurity and HackerNews echo this frustration. Systems administrators have noted the extremely short window between public disclosure and widespread weaponization. The attack essentially turns a security management tool into a malware delivery vector.

Detection and Remediation

Arctic Wolf identified one key indicator of compromise: the presence of "Certificate not found in request header" in system logs. This error appeared consistently in lab tests before exploitation attempts.

Organizations running FortiClient EMS should take immediate action:

• Update to FortiClient EMS version 7.4.7 or later, which contains the mandatory security fix
• Audit VPN policies and endpoint configurations for unauthorized modifications
• Review logs for the "Certificate not found in request header" error message
• Scan endpoints for signs of the EKZ Infostealer or unusual browser data exfiltration
• Rotate credentials for any accounts that may have been accessed from compromised endpoints

The Bigger Picture

This campaign reflects a growing trend: attackers targeting enterprise management platforms to achieve scale. Instead of compromising endpoints one by one, threat actors gain control of the tools that manage thousands of devices.

Marcus Thorne, a cybersecurity architect at Fortinet Solutions, summarized the shift: "This campaign underscores how attackers are increasingly weaponizing legitimate management tools to bypass traditional endpoint security controls."

For organizations relying on centralized endpoint management, the lesson is clear. The security of your management server is the security of your entire fleet.

Frequently Asked Questions

What is CVE-2026-35616?

CVE-2026-35616 is a critical authentication bypass vulnerability in FortiClient Enterprise Management Server (EMS) with a 9.1 CVSS score. It allows unauthenticated remote attackers to execute arbitrary code via specially crafted requests.

What is the EKZ Infostealer?

EKZ Infostealer is a newly discovered credential-stealing malware that targets Chromium-based and Firefox browsers. It extracts passwords, credit card details, addresses, phone numbers, and session cookies while bypassing browser encryption protections.

Which FortiClient EMS versions are affected?

Versions prior to 7.4.7 are vulnerable. Fortinet released emergency hotfixes for 7.4.5 and 7.4.6 in early April, but organizations should update to 7.4.7 or later for full protection.

How can I detect if my organization was compromised?

Check system logs for the error message "Certificate not found in request header." Review VPN policies and endpoint configurations for unauthorized changes. Scan endpoints for unusual browser data exfiltration or the presence of the EKZ Infostealer.

Why is this attack hard to detect with EDR?

The malware executes through legitimate FortiClient components, specifically fortitray.exe. Because this process is expected to run during normal VPN operations, traditional EDR solutions often fail to flag the malicious activity as anomalous.

Source: BleepingComputer