CRITICAL: FortiClient EMS Bug CVE-2026-35616 Weaponized to Push EKZ Infostealer Across Managed Fleets

Endpoint management consoles are supposed to be the calm center of an environment, the place administrators trust to push policy, deliver updates, and keep thousands of laptops marching in formation. When one of those consoles becomes the attacker, every endpoint it ever touched becomes a victim by association. That is exactly what is unfolding right now with FortiClient EMS, where threat actors are abusing CVE-2026-35616 to log in as if they owned the place, modify the same Remote Access Profiles administrators rely on, and quietly push a credential stealer to every managed endpoint under the guise of a Fortinet update.

The vulnerability itself is a CVSS 9.1 improper access control flaw in FortiClient Enterprise Management Server, the centralized console organizations use to provision, configure, and monitor FortiClient on Windows, macOS, and Linux endpoints. In practical terms it is a pre-authentication API bypass. An attacker sends a specially crafted HTTP request to the EMS, the server fails to enforce its certificate based client authentication, and the request is processed as if it came from a trusted administrator. Fortinet addressed the underlying bug in FortiClient EMS 7.4.7 and shipped emergency hotfixes for 7.4.5 and 7.4.6 earlier this spring after confirming exploitation in the wild. Any environment still sitting on 7.4.6 or earlier is, for all intents and purposes, a free administrative account waiting to be claimed.

Arctic Wolf, who published the most detailed teardown of the campaign, traced the activity through a fairly clean signature in the EMS logs. The smoking gun is a "Certificate not found in request header" entry followed immediately by a successful fabric device update message. In a healthy environment, those two events should never sit next to each other. In a compromised one, they are the moment the attacker walked through the front door without being asked for ID. From there the operators tend to log in from Tor exit nodes or rented VPS infrastructure, with observed source addresses including 185.220.101.15 on AS60729 and 192.42.116.14 on AS215125, both well known relay nets that have no business authenticating to your endpoint management console under any circumstance.

What happens after the bypass is where this story stops being a typical vulnerability advisory and starts becoming a supply chain problem inside your own network. The attackers do not bother dropping payloads on the EMS host itself. Instead they edit Remote Access Profile settings, the same profiles your users connect to every day when they fire up the VPN. Specifically, they inject an on_connect script that runs the next time a managed endpoint negotiates a tunnel. Because the script is pushed through the legitimate FortiClient mechanism, it executes inside a fully trusted process tree, fortitray.exe spawning cmd.exe spawning a base64 encoded PowerShell stub, which in turn reaches out to attacker infrastructure for the second stage. The payload is a small Windows binary that has been masquerading under the unusually credible filename FortiEndpoint_Patch.exe, an executable named to survive even a moderately attentive analyst glancing at a process list. Many environments will see "Fortinet" and "patch" in the same string and move on to the next ticket.

The payload is a previously undocumented infostealer that researchers are tracking as EKZ. It is compiled with MinGW-w64 and weighs in just under four megabytes, with a SHA-256 of 0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e. On execution it goes hunting for browser data. For Chromium based browsers including Chrome and Edge it calls IElevator::DecryptData to obtain the Chromium v20 AES-256 master key, which is the same approach modern stealers have converged on now that Google moved app bound encryption into the elevation service. For Firefox it dynamically loads the NSS libraries directly out of the browser install path and walks key4.db and logins.json to pull saved credentials. Cookies, autofill data, credit card numbers, addresses, and phone numbers all get scraped into C:\ProgramData\log.txt, then shipped out over plain HTTP POST to hxxp://83.138.53[.]110/service/save.php. The original loader pulls its second stage from hxxp://83.138.53[.]110/dl/p.exe, so a single hardcoded IP shows up on both the inbound download and the outbound exfiltration, which is exactly the kind of indicator a half decent network detection rule should be lighting up on within seconds.

The reason this campaign is dangerous out of proportion to its technical complexity is the trust model it inherits. FortiClient EMS exists precisely so administrators can push configurations to large fleets without touching individual machines. Compromising one EMS instance gives the attacker, in one shot, the ability to silently distribute code to every endpoint that has ever enrolled. The endpoints themselves have no reason to refuse, because the instruction is coming from their legitimate management server, signed and delivered through the channel they were designed to trust. The cookies the EKZ stealer is yanking out of those browsers are not just nice to have. Session cookies are increasingly the path of least resistance around MFA, since a freshly stolen session token can be replayed against Microsoft 365, Google Workspace, Salesforce, or any other SaaS the user happened to be logged into when the script ran. By the time the user gets a prompt to reauthenticate, the attacker has already been inside for hours.

If you operate FortiClient EMS in any form, the patch story is not optional. Upgrade to 7.4.7 or later today and stop reading negotiation memos about change windows. While you are in there, restrict TCP 8013, the EMS management port, to a tight allowlist of administrative source addresses, because exposing the management plane of an endpoint orchestration product to the open internet was always asking for trouble and CVE-2026-35616 just sent the invoice. Then do the hunting. Pull EMS logs for the certificate header anomaly pattern, look at every login from an ASN you do not recognize, and audit Remote Access Profile changes outside of approved change windows. On the endpoint side, alert on PowerShell processes whose parent chain runs through C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts, watch for the creation of C:\ProgramData\log.txt, and flag any outbound HTTP to 83.138.53.110 with extreme prejudice. If you find any of those, assume credential theft has already occurred and start rotating browser stored secrets, session tokens, and any SaaS account those endpoints were signed into.

There is a broader lesson sitting underneath this incident, and it applies whether you run FortiClient EMS or one of its competitors. Management infrastructure has become high value real estate for attackers because it offers leverage that is otherwise hard to obtain. A single console can reach further into an environment in five minutes than a phishing campaign can in five weeks. Treat these platforms the way you would treat a domain controller, with isolated network segments, conditional access, strong authentication on every administrator, and aggressive monitoring of every configuration change. If your EMS administrators can log in from a coffee shop on a personal laptop, you have a CVE-2026-35616 waiting to happen, just with a different vendor name attached.

For MSPs and security partners, this is one of those advisories that practically writes the customer email for you. Anyone running Fortinet endpoint products is going to want confirmation that their EMS is patched, segmented, and not currently exfiltrating browser data to a Tor connected IP somewhere in eastern Europe. That conversation opens the door to a managed vulnerability and patch service for those still running things in house, a hunt engagement to confirm no historical compromise, and a longer term play around managed detection and response on the endpoints those EMS instances control. Bundle the patch verification with a sixty minute IoC sweep against 83.138.53.110 and the EKZ hashes, and you have a high value, low friction offer that prospects can say yes to before lunch.