Summaries

CVE-2026-35616 — FortiClient EMS Exploited to Deliver EKZ Infostealer

CVE-2026-35616, a critical authentication bypass in FortiClient EMS, is exploited to deliver the undocumented EKZ credential stealer disguised as a Fortinet patch through VPN scripting workflows.

View on Graph

Summary

CVE-2026-35616 is a critical authentication bypass vulnerability (CVSS 9.1) in FortiClient Enterprise Management Server (EMS) that is being actively exploited to deliver an undocumented credential stealer called EKZ. The vulnerability is an improper access control flaw allowing unauthenticated remote attackers to execute arbitrary code or commands via specially crafted requests.

Arctic Wolf documented the exploitation chain. The intrusion begins with the attacker abusing EMS endpoint APIs to perform administrative actions without authentication. The attacker then modifies EMS configuration and VPN policies to introduce malicious script execution. When affected endpoints establish an IPsec tunnel to a FortiGate firewall, the legitimate fortitray.exe launches malicious batch scripts through Command Prompt. These scripts execute a base64-encoded PowerShell payload that downloads and runs the EKZ infostealer disguised as a Fortinet endpoint update. Data is exfiltrated to an attacker-controlled VPS over HTTP.

The EKZ infostealer targets both Chromium-based and Firefox browsers, extracting credentials, credit card details, addresses, phone numbers, and session cookies to text files while bypassing encrypted password protections. The malware executes without command-line arguments, minimizing its forensic footprint.

Fortinet released emergency hotfixes for versions 7.4.5 and 7.4.6 in early April 2026. CISA ordered federal agencies to patch by the end of that week. The Shadowserver Foundation reported approximately 2,000 internet-exposed EMS instances at the time of disclosure.

Arctic Wolf identified a key detection signal: the log entry “Certificate not found in request header,” followed seconds later by “Certificate user: fortinet-ca2 … successfully updated.” Defenders should also monitor for certificate-authentication anomalies and unexpected changes to Remote Access Profile configurations.

Why It Matters

CVE-2026-35616 is a textbook example of the edge appliance vulnerability class that has become the dominant initial access vector in 2025–2026. The exploitation chain is particularly insidious because it abuses trusted VPN scripting workflows — the malware delivery happens through legitimate FortiClient mechanisms, making it harder to distinguish from normal operations. For organizations running FortiClient EMS, the exploitation path from an internet-facing management interface to credential theft on every connected endpoint represents a worst-case supply chain scenario. The presence of 2,000 exposed EMS instances suggests a large attack surface that attackers continue to exploit.

Defender Takeaways

  • Immediately patch FortiClient EMS to version 7.4.7 or later; apply the emergency hotfix if running 7.4.5 or 7.4.6.
  • Audit internet-exposed EMS instances — if accessible from the internet, restrict access or apply mitigations immediately.
  • Monitor for the certificate-authentication anomaly pattern: “Certificate not found in request header” followed by certificate update success.
  • Review VPN scripting policy configurations for unauthorized modifications.
  • Monitor for unexpected PowerShell execution from FortiClient components (fortitray.exe launching batch scripts).
  • Check for EKZ infostealer artifacts: unusual text files in browser data directories and HTTP POST traffic to unknown VPS IPs.
  • Treat FortiClient as a critical trust boundary — exploitation here can lead to credential theft across the entire endpoint fleet.

Source

Title: Hackers exploit FortiClient EMS flaw to push infostealer malware — BleepingComputer
URL: https://www.bleepingcomputer.com/news/security/hackers-exploit-forticlient-ems-flaw-to-push-infostealer-malware/