Hackers exploit FortiClient EMS flaw to push infostealer malware

HACKERS EXPLOIT FORTICLIENT EMS FLAW TO DELIVER EKZ INFOSTEALER

OVERVIEWA critical authentication bypass vulnerability in FortiClient Enterprise Management Server (EMS), tracked as CVE-2026-35616, is being weaponized by attackers to push an undocumented credential stealer known as EKZ. The campaign relies on disguising the malware as a legitimate Fortinet endpoint update and executing it through FortiClient–managed VPN scripting workflows. Fortinet acknowledged the flaw earlier this year and released emergency hotfixes for affected product lines (versions 7.4.5 and 7.4.6). Observations from incident responders indicate that attackers exploit unauthenticated remote access to issue arbitrary commands and inject malicious scripts intoEMS-managed configurations and VPN policies.

ATTACK CHAIN AND TECHNICAL FLOW

Initial access and exposure: Exploitation begins with an improper access control flaw that allows unauthenticated actors to reach and manipulate EMS endpoints remotely.
Abuse of EMS APIs: Attackers leverage endpoint APIs to perform administrative actions without needing valid credentials.
Configuration and policy tampering: The adversary modifies EMS configurations and VPN policies to enable the execution of malicious scripts on protected endpoints.
VPN session initiation: An IPsec tunnel is established to a FortiGate firewall, at which point legitimate FortiClient components begin to run scripted actions.
Execution of malicious scripts: FortiTray triggers command-line scripts that launch PowerShell, avoiding user interaction in many cases.
Payload delivery: A base64-encoded PowerShell payload is downloaded and executed, delivering EKZ infostealer under the guise of a Fortinet patch.
Data exfiltration: Once installed, EKZ exfiltrates harvested data to an attacker-controlled server over HTTP, continuing to operate in the background.
Silent operation: The malware runs with minimal user visibility and removes local artifacts to hinder discovery.

THE EKZ INFOSTEALER: CAPABILITIES AND TARGETS

Stealer profile: EKZ is an information-stealer designed to harvest credentials and other sensitive data from endpoints.
Browser targets: The malware targets data stored by Chromium-based browsers as well as Firefox, extracting stored credentials and related information.
Data types exfiltrated: Credentials, payment card details, physical addresses, phone numbers, and cookies are exfiltrated, providing access to accounts even when some protections are in place.
Byproduct handling: Exfiltrated data is written to local text files before being sent to external servers.
Authentication bypass: EKZ is capable of harvesting data in a way that can bypass some forms of encrypted password protections.
Execution model: The stealer operates without requiring command-line arguments, enabling a more autonomous infection lifecycle after initial deployment.

INDICATORS OF COMPROMISE AND FORENSICS

Log entries signaling unusual certificate behavior: One notable indicator observed by defenders is a log line stating “Certificate not found in request header,” which, in observed cases, was followed moments later by an entry indicating a certificate user (e.g., fortinet-ca2) was updated.
Administrative activity patterns: Indicators include new administrative accounts, logins from unfamiliar origins (such as Tor nodes or VPS IPs), and configuration changes within EMS or VPN policy sets.
Scripted execution traces: Logs may reveal command scripts launching PowerShell via FortiClient components (such as fortitray.exe) and the execution of nonstandard batch or PowerShell payloads.
Network egress patterns: Post-infection activity tends to include HTTP-based data exfiltration to attacker-controlled infrastructure.
Endpoint API activity: Unauthenticated or unusual calls to EMS APIs that resemble administrative actions may appear in endpoint telemetry and EMS logs.

CONTEXT AND TIMELINE NOTES

Fortinet response: In early 2026, Fortinet released emergency hotfixes addressing CVE-2026-35616 for affected EMS versions (notably 7.4.5 and 7.4.6) to mitigate exploitation paths.
Government and industry monitoring: Regulatory and security groups moved to restrict or patch exposed EMS instances, with federal guidance aiming to secure deployments within tight deadlines.
Observed scope: Security researchers noted thousands of EMS instances accessible from the internet, underscoring the broad potential impact of the vulnerability when left unpatched.
Research observations: Arctic Wolf and other researchers documented how attackers pivot through EMS APIs, alter VPN-related configurations, and trigger execution chains that culminate in the EKZ payload being downloaded and run as a “Fortinet patch.”

DETECTION GUIDANCE AND FORENSIC CONTEXT

Look for certificate-authentication anomalies in EMS-related logs and unexpected changes to Remote Access Profile configurations as potential precursors to exploitation.
Monitor for suspicious administrative actions, including creation of new accounts, logins from atypical origins, and rapid configuration alterations within EMS and VPN policies.
Correlate FortiClient activity with PowerShell invocation and base64-encoded payloads that appear in script execution channels, particularly when delivered through legitimate-looking update workflows.
Correlate browser data exfiltration patterns with observed network destinations (unrecognized HTTP endpoints) and the presence of artifacts that resemble the EKZ infostealer’s typical data targets.
Maintain awareness of log sequences where an initial “Certificate not found in request header” event is quickly followed by “Certificate user … updated,” which may reflect an exploitation attempt in practice.

ADDITIONAL OBSERVATIONS

Campaign framing: Rather than relying on generic malware lures, attackers presented EKZ as a Fortinet endpoint update, leveraging FortiClient-managed VPN scripting workflows to blend with normal administrative operations.
Silent persistence: EKZ downloader and payload execution are designed to minimize user friction and system disturbance, emphasizing stealth in the early stages of compromise.
Defensive stance: The convergence of EMS misconfigurations, VPN policy changes, and certificate-authentication anomalies provides a multi-faceted signal set for threat hunters investigating suspected FortiClient EMS abuse.

HACKERS EXPLOIT FORTICLIENT EMS FLAW TO DELIVER EKZ INFOSTEALER

ATTACK CHAIN AND TECHNICAL FLOW

Initial access and exposure: Exploitation begins with an improper access control flaw that allows unauthenticated actors to reach and manipulate EMS endpoints remotely.
Abuse of EMS APIs: Attackers leverage endpoint APIs to perform administrative actions without needing valid credentials.
Configuration and policy tampering: The adversary modifies EMS configurations and VPN policies to enable the execution of malicious scripts on protected endpoints.
VPN session initiation: An IPsec tunnel is established to a FortiGate firewall, at which point legitimate FortiClient components begin to run scripted actions.
Execution of malicious scripts: FortiTray triggers command-line scripts that launch PowerShell, avoiding user interaction in many cases.
Payload delivery: A base64-encoded PowerShell payload is downloaded and executed, delivering EKZ infostealer under the guise of a Fortinet patch.
Data exfiltration: Once installed, EKZ exfiltrates harvested data to an attacker-controlled server over HTTP, continuing to operate in the background.
Silent operation: The malware runs with minimal user visibility and removes local artifacts to hinder discovery.

THE EKZ INFOSTEALER: CAPABILITIES AND TARGETS

Stealer profile: EKZ is an information-stealer designed to harvest credentials and other sensitive data from endpoints.
Browser targets: The malware targets data stored by Chromium-based browsers as well as Firefox, extracting stored credentials and related information.
Data types exfiltrated: Credentials, payment card details, physical addresses, phone numbers, and cookies are exfiltrated, providing access to accounts even when some protections are in place.
Byproduct handling: Exfiltrated data is written to local text files before being sent to external servers.
Authentication bypass: EKZ is capable of harvesting data in a way that can bypass some forms of encrypted password protections.
Execution model: The stealer operates without requiring command-line arguments, enabling a more autonomous infection lifecycle after initial deployment.

INDICATORS OF COMPROMISE AND FORENSICS

Log entries signaling unusual certificate behavior: One notable indicator observed by defenders is a log line stating “Certificate not found in request header,” which, in observed cases, was followed moments later by an entry indicating a certificate user (e.g., fortinet-ca2) was updated.
Administrative activity patterns: Indicators include new administrative accounts, logins from unfamiliar origins (such as Tor nodes or VPS IPs), and configuration changes within EMS or VPN policy sets.
Scripted execution traces: Logs may reveal command scripts launching PowerShell via FortiClient components (such as fortitray.exe) and the execution of nonstandard batch or PowerShell payloads.
Network egress patterns: Post-infection activity tends to include HTTP-based data exfiltration to attacker-controlled infrastructure.
Endpoint API activity: Unauthenticated or unusual calls to EMS APIs that resemble administrative actions may appear in endpoint telemetry and EMS logs.

CONTEXT AND TIMELINE NOTES

Fortinet response: In early 2026, Fortinet released emergency hotfixes addressing CVE-2026-35616 for affected EMS versions (notably 7.4.5 and 7.4.6) to mitigate exploitation paths.
Government and industry monitoring: Regulatory and security groups moved to restrict or patch exposed EMS instances, with federal guidance aiming to secure deployments within tight deadlines.
Observed scope: Security researchers noted thousands of EMS instances accessible from the internet, underscoring the broad potential impact of the vulnerability when left unpatched.
Research observations: Arctic Wolf and other researchers documented how attackers pivot through EMS APIs, alter VPN-related configurations, and trigger execution chains that culminate in the EKZ payload being downloaded and run as a “Fortinet patch.”

DETECTION GUIDANCE AND FORENSIC CONTEXT

Look for certificate-authentication anomalies in EMS-related logs and unexpected changes to Remote Access Profile configurations as potential precursors to exploitation.
Monitor for suspicious administrative actions, including creation of new accounts, logins from atypical origins, and rapid configuration alterations within EMS and VPN policies.
Correlate FortiClient activity with PowerShell invocation and base64-encoded payloads that appear in script execution channels, particularly when delivered through legitimate-looking update workflows.
Correlate browser data exfiltration patterns with observed network destinations (unrecognized HTTP endpoints) and the presence of artifacts that resemble the EKZ infostealer’s typical data targets.
Maintain awareness of log sequences where an initial “Certificate not found in request header” event is quickly followed by “Certificate user … updated,” which may reflect an exploitation attempt in practice.

ADDITIONAL OBSERVATIONS

Campaign framing: Rather than relying on generic malware lures, attackers presented EKZ as a Fortinet endpoint update, leveraging FortiClient-managed VPN scripting workflows to blend with normal administrative operations.
Silent persistence: EKZ downloader and payload execution are designed to minimize user friction and system disturbance, emphasizing stealth in the early stages of compromise.
Defensive stance: The convergence of EMS misconfigurations, VPN policy changes, and certificate-authentication anomalies provides a multi-faceted signal set for threat hunters investigating suspected FortiClient EMS abuse.

Hackers exploit FortiClient EMS flaw to push infostealer malware

More from the Blog

Carnival Cruise confirms data breach affecting nearly 6 million people

Canadian Man Sentenced to 33 Years for Sextortion Targeting 145 U.S. Children

Windows 11 KB5089573 update released with performance improvements

Stay Updated

Hackers exploit FortiClient EMS flaw to push infostealer malware

More from the Blog

Carnival Cruise confirms data breach affecting nearly 6 million people

Canadian Man Sentenced to 33 Years for Sextortion Targeting 145 U.S. Children

Windows 11 KB5089573 update released with performance improvements

Stay Updated