FortiClient EMS Exploited via CVE-2026-35616 for EKZ Infostealer Deployment
Published
Key Takeaways
- Vulnerability Exploited: Arctic Wolf Labs detected CVE-2026-35616 exploitation against FortiClient EMS deployments in May 2026.
- Payload Disguised as a Fix: Threat actors delivered the EKZ Infostealer under the guise of a legitimate Fortinet endpoint patch.
- Credentials Compromised: The malware can extract credentials from Chrome, Microsoft Edge, and Firefox nd bypass Chrome’s encrypted password storage mechanisms.
In May 2026, Arctic Wolf observed a threat cluster actively exploiting CVE-2026-35616 against FortiClient Endpoint Management Server (EMS) deployments to deliver an infostealer disguised as a Fortinet patch. This improper access control vulnerability allows unauthenticated threat actors to bypass API authentication and send privileged requests directly to affected deployments.
Detecting EKZ Infostealer Intrusions
By abusing the FortiClient EMS management infrastructure, attackers successfully delivered a powerful credential stealer disguised as a Fortinet patch. Based on internal symbol names extracted from the decrypted code, Arctic Wolf named this malicious payload EKZ Infostealer.
The threat actors weaponized FortiClient-managed VPN scripting workflows to deliver the malware payload to endpoints. The execution chain begins with fortitray.exe or ipsec.exe launching cmd.exe. This process then calls powershell.exe to quietly execute the final payload, FortiEndpoint_Patch.exe.
Once active, EKZ Infostealer, a MinGW-compiled Windows credential stealer, targets a wide range of web browsers, including Chrome, Microsoft Edge, and other Chromium-based and Firefox/Gecko-based browsers.
The malware extracts session cookies, saved password credentials, and valuable autofill data such as credit card details, addresses, and phone numbers. The threat actors then exfiltrate this highly sensitive data to a threat-actor-controlled Virtual Private Server host.
The malware includes an internal SQLite-backed results store and CLI verbs, which researchers said suggest the attackers’ intent to support repeated operator-driven use across hosts.
Risk Mitigation
The EKZ infostealer in this campaign was purpose-built for credential theft, creating a risk beyond the initially affected endpoints. To reduce exposure to this threat, Arctic Wolf advises organizations running affected versions of FortiClient EMS to upgrade to a fixed version as soon as possible.
“Defenders should focus on certificate-authentication anomalies combined with unexpected Remote Access Profile configuration changes,” the report added.
This month, Fortinet patched critical RCE vulnerabilities in FortiSandbox and FortiAuthenticator. A March SentinelOne report warned that FortiGate edge intrusions led to deep network compromise and the creation of rogue workstations.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular