Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
FortiClient Exploitation Leads to EKZ Malware Deployment

FortiClient Exploitation Leads to EKZ Malware Deployment

Posted on May 28, 2026 By CWS

In a significant cybersecurity alert, FortiClient Endpoint Management Server (EMS) has recently been targeted in an exploitation campaign, resulting in the deployment of a newly discovered credential-stealing malware. This campaign leverages trusted infrastructure to distribute the malware across enterprise systems covertly.

Details of the Vulnerability

Researchers from Arctic Wolf identified in May 2026 that the exploitation involves CVE-2026-35616, a vulnerability in FortiClient EMS related to improper access control. This flaw permits unauthorized actors to bypass API authentication, enabling them to execute privileged commands without valid credentials.

Once attackers infiltrated the EMS settings, they altered configurations to inject harmful scripts across all managed endpoints. The exploitation utilizes the on_connect directive, a legitimate feature of FortiClient, to launch malicious script files upon establishing a VPN connection.

Mechanism of Attack

When devices connect via an IPsec tunnel, scripts with GUID-based filenames are launched, executing a PowerShell payload. This payload downloads and runs a malicious executable, FortiEndpoint_Patch.exe, which acts as the EKZ Infostealer. The process involves fortitray.exe or ipsec.exe triggering cmd.exe and powershell.exe to execute the malware.

Initial access was traced to login attempts from Tor exit nodes, highlighting the sophistication of the attack strategy. The payload, disguised as a routine patch, targets popular web browsers to extract sensitive data.

Impact and Mitigation Strategies

The EKZ Infostealer specifically aims at browsers like Chrome, Edge, and Firefox, extracting data from credential databases and cookies. This data includes passwords and credit card information, posing a severe risk of account takeovers despite multi-factor authentication.

Organizations are advised to urgently update FortiClient EMS to a secure version to mitigate this vulnerability. Additionally, access to management ports should be restricted to trusted IP ranges, and all VPN script configurations should be audited for unauthorized changes.

Given the widespread impact of a single EMS breach, enterprises using FortiClient should prioritize incident response actions to safeguard against potential threats.

Stay informed about the latest security updates by following us on Google News, LinkedIn, and X.

Cyber Security News Tags:API authentication, Arctic Wolf, browser security, credential stealer, CVE-2026-35616, cyber attack, Cybersecurity, EKZ malware, endpoint security, FortiClient, Information Security, Malware, network security, Tor exit nodes, Vulnerability

Post navigation

Previous Post: BTMOB Malware Enables Remote Android Control
Next Post: Enhanced Security and Speed in Latest Claude Code Update

Related Posts

New GitHub Device Code Phishing Attacks Targeting Developers to Steal Tokens New GitHub Device Code Phishing Attacks Targeting Developers to Steal Tokens Cyber Security News
OpenAI Unveils GPT-5.5-Cyber for Automated Security OpenAI Unveils GPT-5.5-Cyber for Automated Security Cyber Security News
PoC Exploit Released for Linux-PAM Vulnerability Allowing Root Privilege Escalation PoC Exploit Released for Linux-PAM Vulnerability Allowing Root Privilege Escalation Cyber Security News
Critical Apache ZooKeeper Flaws Demand Urgent Updates Critical Apache ZooKeeper Flaws Demand Urgent Updates Cyber Security News
New TokenBreak Attack Bypasses AI Model’s with Just a Single Character Change New TokenBreak Attack Bypasses AI Model’s with Just a Single Character Change Cyber Security News
Ransomware Disrupts BridgePay’s Nationwide Payment Processing Ransomware Disrupts BridgePay’s Nationwide Payment Processing Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark