Hackers exploit FortiClient EMS flaw to push infostealer malware

HomeNewsSecurityHackers exploit FortiClient EMS flaw to push infostealer malware

Hackers exploit FortiClient EMS flaw to push infostealer malware By Bill Toulas May 28, 2026 01:25 PM 0 Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. The attacker disguised the malware as an update for Fortinet endpoints and executed it through VPN scripting workflows managed by FortiClient. The exploited critical vulnerability is an improper access control flaw that allows unauthenticated remote attackers to execute arbitrary code or commands via specially crafted requests. Fortinet confirmed in early April that it was being exploited and released emergency hotfixes for versions 7.4.5 and 7.4.6 of the product. CISA reacted quickly to the malicious activity and ordered federal agencies to secure their instances by the end of that week, while the internet security watchdog group The Shadowserver Foundation reported at the time that it was seeing 2,000 internet-exposed EMS instances. Earlier this month, cybersecurity company Arctic Wolf observed attacks leveraging the vulnerability to deliver the EKZ infostealer. The researchers note that the intrusion begins with abusing endpoint APIs to perform administrative actions without authentication. The attacker then modifies the EMS configuration and VPN policies to introduce the execution of malicious scripts. Seconds after endpoints established an IPsec tunnel to a FortiGate firewall, the legitimate fortitray.exe launched malicious batch scripts through Command Prompt. Those scripts executed a base64-encoded PowerShell payload that downloaded and ran malware disguised as a Fortinet patch, then exfiltrated data to an attacker-controlled VPS over HTTP. Malicious PowerShell codeSource: Arctic Wolf “Rather than relying on a generic malware lure, the payload was presented as a Fortinet endpoint update and executed through FortiClient-managed VPN scripting workflows,” reads the report from Arctic Wolf. “On affected endpoints, FortiClient components launched command scripts that invoked PowerShell, downloaded a credential stealer, executed it silently, and exfiltrated harvested browser data before removing local artifacts.” The downloaded payload, tracked as EKZ Infostealer, features fairly standard information-stealing functionality. It targets both Chromium-based and Firefox web browsers and extracts stored data to text files while bypassing encrypted password protections. Stealer executes without argumentsSource: Arctic Wolf The malware targets credentials, credit card details, addresses, phone numbers, and cookies, which provide access to accounts protected by multi-factor authentication without loging it. According to Arctic Wolf, one indication of an exploitation attempt in attacks delivering the EKZ infostealer is the presence in the logs of the line "Certificate not found in request header." In lab tests, the error was followed in seconds by another entry: Certificate user: fortinet-ca2 … successfully updated As such, the researchers recommend defenders look for certificate-authentication anomalies and unexpected changes to Remote Access Profile configurations. Any suspicious administrative activity, such as new accounts, logins with an unfamiliar origin (Tor, VPS IP addresses), or actions leading to configuration changes, should be considered red flags. Arctic Wolf's report provides extensive detection guidance that could help organizations prevent the observed attacks.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now

Related Articles: Hackers bypass SonicWall VPN MFA due to incomplete patchingHackers exploit auth bypass flaw in Burst Statistics WordPress pluginCritical cPanel and WHM bug exploited as a zero-day, PoC now availableCritical Nginx UI auth bypass flaw now actively exploited in the wildCISA orders feds to patch exploited Fortinet EMS flaw by Friday Actively Exploited

Authentication Bypass

EKZ Infostealer

Forticlient EMS

Info Stealer

Information Stealer

Vulnerability

Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now