In a significant cybersecurity alert, FortiClient Endpoint Management Server (EMS) has recently been targeted in an exploitation campaign, resulting in the deployment of a newly discovered credential-stealing malware. This campaign leverages trusted infrastructure to distribute the malware across enterprise systems covertly.
Details of the Vulnerability
Researchers from Arctic Wolf identified in May 2026 that the exploitation involves CVE-2026-35616, a vulnerability in FortiClient EMS related to improper access control. This flaw permits unauthorized actors to bypass API authentication, enabling them to execute privileged commands without valid credentials.
Once attackers infiltrated the EMS settings, they altered configurations to inject harmful scripts across all managed endpoints. The exploitation utilizes the on_connect directive, a legitimate feature of FortiClient, to launch malicious script files upon establishing a VPN connection.
Mechanism of Attack
When devices connect via an IPsec tunnel, scripts with GUID-based filenames are launched, executing a PowerShell payload. This payload downloads and runs a malicious executable, FortiEndpoint_Patch.exe, which acts as the EKZ Infostealer. The process involves fortitray.exe or ipsec.exe triggering cmd.exe and powershell.exe to execute the malware.
Initial access was traced to login attempts from Tor exit nodes, highlighting the sophistication of the attack strategy. The payload, disguised as a routine patch, targets popular web browsers to extract sensitive data.
Impact and Mitigation Strategies
The EKZ Infostealer specifically aims at browsers like Chrome, Edge, and Firefox, extracting data from credential databases and cookies. This data includes passwords and credit card information, posing a severe risk of account takeovers despite multi-factor authentication.
Organizations are advised to urgently update FortiClient EMS to a secure version to mitigate this vulnerability. Additionally, access to management ports should be restricted to trusted IP ranges, and all VPN script configurations should be audited for unauthorized changes.
Given the widespread impact of a single EMS breach, enterprises using FortiClient should prioritize incident response actions to safeguard against potential threats.
Stay informed about the latest security updates by following us on Google News, LinkedIn, and X.
