Critical FortiClient EMS Vulnerability Exploited in Active Campaign Delivering EKZ Infostealer
- May 28
- 3 min read
Key Findings
Threat actors are actively exploiting CVE-2026-35616, a critical FortiClient EMS vulnerability with a CVSS score of 9.1, to deploy credential-stealing malware across enterprise networks
Attackers abuse legitimate FortiClient management pathways to push malicious PowerShell commands, evading traditional network monitoring solutions
A new infostealer payload named EKZ Infostealer masquerades as vendor software updates and extracts credentials from Chrome and Firefox, including encrypted password bypass techniques
Compromised endpoints expose organizations to downstream attacks targeting cloud services, repositories, and authenticated resources where session cookies may bypass MFA
The campaign targets high-value corporate environments, suggesting financially motivated eCrime actors seeking extortion payouts
Background
Arctic Wolf security researchers uncovered this sophisticated exploitation campaign in May 2026, targeting FortiClient Endpoint Management Server (EMS) systems worldwide. The threat actors weaponized CVE-2026-35616, a pre-authentication API access bypass vulnerability that enables privilege escalation. This critical flaw impacts FortiClient EMS deployments and affects any organization running vulnerable versions of the management platform.
Weaponizing Trusted Management Paths
Rather than relying on traditional phishing tactics, threat actors modified their distribution methods to blend seamlessly with normal network operations. They abused legitimate administrative channels within FortiClient to push unauthorized commands. The observed execution pattern reveals that attackers leveraged FortiClient's own management pathway to distribute malicious PowerShell commands to managed endpoints in ways that resembled authentic management operations.
This approach proved highly effective because traditional network monitoring solutions failed to flag the unauthorized commands during the initial intrusion phase. Once attackers gained privileged access to modify EMS configurations, every managed endpoint became a potential execution target without requiring separate intrusion paths to individual devices.
The Arrival of EKZ Infostealer
Adversaries created a highly tailored credential harvesting tool designated as the EKZ Infostealer. The malicious executable, named "FortiEndpoint_Patch.exe," masquerades as legitimate Fortinet endpoint updates to avoid detection. The payload utilizes specific scripts to extract user profiles directly from active applications.
The infostealer supports credential extraction from both Chrome and Firefox browsers, including bypass techniques targeting Chrome's encrypted password storage mechanisms. The malware harvests sensitive data including passwords, cookies, autofill details, credit card information, addresses, and phone numbers. The harvested data is written to a log file and stored in the ProgramData directory.
The attack chain involves legitimate FortiClient executable "fortitray.exe" launching a .cmd script file, which invokes a Base64-encoded PowerShell script. This PowerShell script downloads the malicious payload, executes it, and exfiltrates results to attacker infrastructure at 83.138.53[.]110 via HTTP POST requests.
Severe Downstream Risks for Enterprises
A successful infection presents long-term operational challenges that extend far beyond the initial compromise. Stolen credentials and session cookies provide threat actors with follow-on access to cloud services, internal applications, and other authenticated resources. This access is particularly dangerous because session reuse may circumvent standard multi-factor authentication prompts.
Attackers frequently target developer workstations and endpoint control panels to expand their operational reach into source code repositories and secondary cloud networks. The compromised data enables threat actors to pivot laterally across enterprise infrastructure, potentially establishing persistent backdoor access for continued exploitation.
Analyzing the Attacker's Motives
Threat intelligence data suggests purely financial motivation behind this campaign. eCrime actors deliberately target high-value corporate environments to maximize extortion payouts. By compromising critical management assets and developer workstations, adversaries leverage their access to negotiate larger ransoms or conduct data theft operations.
The sophistication and targeting patterns indicate organized threat groups with sufficient resources to develop custom malware and maintain operational infrastructure. This is not opportunistic malware but rather a focused campaign against enterprise targets with valuable intellectual property and authentication credentials.
Mandatory Mitigation and Hardening Steps
Recommended Upgrades
System administrators must implement immediate infrastructure adjustments to eliminate exposure to this threat. Organizations running affected versions of FortiClient EMS should upgrade to version 7.4.7 or later where Fortinet addressed the underlying security flaw. This patching effort forms the critical first line of defense against active exploitation.
Restricting Port Access
Network engineers should apply strict perimeter access controls to secure the corporate environment. Specifically, network access to the FortiClient EMS management port 8013 should be explicitly restricted to trusted IP ranges only. This prevents external threat actors from reaching the management endpoint to initiate malicious script execution sequences.
Organizations should review their entire network architecture to isolate key administrative nodes from general corporate traffic. Implementing strict boundary rules around common communication ports reduces the attack surface significantly.
Continuous Monitoring for Future Threats
Organizations must establish persistent observation strategies to catch hidden anomalies early. Security teams should execute automated file inventory sweeps across all corporate systems regularly to identify unauthorized executables or suspicious PowerShell execution patterns.
The rapid evolution of infostealer payloads highlights the necessity of multi-layered perimeter defense architectures. Applying these proactive measures protects sensitive enterprise networks from devastating corporate infrastructure breaches and credential theft operations that could enable long-term adversary access.
Sources
https://securityonline.info/forticlient-ems-exploitation-ekz-infostealer/
https://thehackernews.com/2026/05/threat-actors-exploit-critical.html

Comments