Hackers Exploit FortiClient EMS Flaw to Deploy EKZ Infostealer
Key Takeaways
- CVE-2026-35616 is a critical 9.1 CVSS authentication bypass flaw in FortiClient EMS being actively exploited
- Attackers use the vulnerability to push the EKZ Infostealer disguised as legitimate Fortinet updates
- Organizations must update to FortiClient EMS version 7.4.7 or later immediately to stop the attack
What's Happening
Hackers are actively exploiting CVE-2026-35616, a critical authentication bypass vulnerability in FortiClient Enterprise Management Server (EMS), to deploy a new credential-stealing malware called EKZ Infostealer. The attack is particularly dangerous because the malware masquerades as a legitimate Fortinet endpoint update and executes through trusted VPN scripting workflows.
Fortinet disclosed the vulnerability in early April 2026 and released emergency hotfixes for versions 7.4.5 and 7.4.6. CISA responded immediately, ordering federal agencies to secure their systems by the end of that week. Despite these warnings, The Shadowserver Foundation reported approximately 2,000 internet-exposed EMS instances remained vulnerable.
How the Attack Works
Cybersecurity firm Arctic Wolf documented the attack chain earlier this month. The intrusion begins when attackers abuse endpoint APIs to perform administrative actions without authentication. They then modify EMS configuration and VPN policies to introduce malicious script execution.
The timing is precise. Seconds after endpoints establish an IPsec tunnel to a FortiGate firewall, the legitimate fortitray.exe process launches malicious batch scripts through Command Prompt. These scripts execute a base64-encoded PowerShell payload that downloads the malware, runs it silently, and exfiltrates stolen data to an attacker-controlled server over HTTP.
“Rather than relying on a generic malware lure, the payload was presented as a Fortinet endpoint update and executed through FortiClient-managed VPN scripting workflows. On affected endpoints, FortiClient components launched command scripts that invoked PowerShell, downloaded a credential stealer, executed it silently, and exfiltrated harvested browser data before removing local artifacts.”
— Arctic Wolf research report
The EKZ Infostealer
The EKZ Infostealer targets both Chromium-based and Firefox web browsers. It extracts stored data to text files while bypassing encrypted password protections. The malware collects credentials, credit card details, addresses, phone numbers, and session cookies.
The cookie theft is especially problematic. Stolen session cookies allow attackers to access accounts protected by multi-factor authentication without triggering login alerts. Victims may not realize their accounts are compromised because no new login event is recorded.
Why This Attack Is Hard to Detect
The campaign exploits a fundamental trust problem. Because the malware executes through the legitimate fortitray.exe process, a component administrators expect to see running, traditional endpoint detection and response (EDR) solutions struggle to flag the activity as malicious.
“The ability for an unauthenticated attacker to manipulate remote access profiles allows for a highly automated, fleet-wide distribution of malware that is extremely difficult for defenders to detect in real-time.”
— Sarah Jenkins, Lead Security Analyst at Arctic Wolf
Community discussions on r/cybersecurity and HackerNews echo this frustration. Systems administrators have noted the extremely short window between public disclosure and widespread weaponization. The attack essentially turns a security management tool into a malware delivery vector.
Detection and Remediation
Arctic Wolf identified one key indicator of compromise: the presence of "Certificate not found in request header" in system logs. This error appeared consistently in lab tests before exploitation attempts.
Organizations running FortiClient EMS should take immediate action:
- Update to FortiClient EMS version 7.4.7 or later, which contains the mandatory security fix
- Audit VPN policies and endpoint configurations for unauthorized modifications
- Review logs for the "Certificate not found in request header" error message
- Scan endpoints for signs of the EKZ Infostealer or unusual browser data exfiltration
- Rotate credentials for any accounts that may have been accessed from compromised endpoints
The Bigger Picture
This campaign reflects a growing trend: attackers targeting enterprise management platforms to achieve scale. Instead of compromising endpoints one by one, threat actors gain control of the tools that manage thousands of devices.
Marcus Thorne, a cybersecurity architect at Fortinet Solutions, summarized the shift: "This campaign underscores how attackers are increasingly weaponizing legitimate management tools to bypass traditional endpoint security controls."
For organizations relying on centralized endpoint management, the lesson is clear. The security of your management server is the security of your entire fleet.
Logicity's Take
Frequently Asked Questions
What is CVE-2026-35616?
CVE-2026-35616 is a critical authentication bypass vulnerability in FortiClient Enterprise Management Server (EMS) with a 9.1 CVSS score. It allows unauthenticated remote attackers to execute arbitrary code via specially crafted requests.
What is the EKZ Infostealer?
EKZ Infostealer is a newly discovered credential-stealing malware that targets Chromium-based and Firefox browsers. It extracts passwords, credit card details, addresses, phone numbers, and session cookies while bypassing browser encryption protections.
Which FortiClient EMS versions are affected?
Versions prior to 7.4.7 are vulnerable. Fortinet released emergency hotfixes for 7.4.5 and 7.4.6 in early April, but organizations should update to 7.4.7 or later for full protection.
How can I detect if my organization was compromised?
Check system logs for the error message "Certificate not found in request header." Review VPN policies and endpoint configurations for unauthorized changes. Scan endpoints for unusual browser data exfiltration or the presence of the EKZ Infostealer.
Why is this attack hard to detect with EDR?
The malware executes through legitimate FortiClient components, specifically fortitray.exe. Because this process is expected to run during normal VPN operations, traditional EDR solutions often fail to flag the malicious activity as anomalous.
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
4 Windows 11 Settings You Should Enable Right Now
Windows 11 ships with several powerful productivity features disabled by default. Clipboard history, Volume Mixer per-app routing, Storage Sense, and Snap Assist are buried in settings menus, waiting to be turned on. Here's how to find them and why they matter.
Claude Opus 4.8 Adds Dynamic Workflows for Large-Scale Coding
Anthropic released Claude Opus 4.8 with a 'dynamic workflows' feature that coordinates up to 500 subagents for massive coding projects. The update also introduces user-controlled effort settings and cuts fast-mode pricing by 66%.
8 Stripe Alternatives Tested: Which Payment Processor Fits?
Stripe remains the default for startups, but scaling businesses face mounting costs from add-on services. After testing eight alternatives, clear winners emerge for specific use cases: Paddle for SaaS tax compliance, Airwallex for cross-border commerce, and Helcim for transparent interchange pricing.