Skip to content
hacker_posts

FortiClient EMS bug CVE-2026-35616 now drops EKZ stealer as fake patch

Arctic Wolf says attackers are using the pre-auth FortiClient EMS flaw to push a previously undocumented infostealer disguised as a Fortinet endpoint update.

Published 4 min read
cvefortinetforticlientinfostealercisa-kev

A new exploitation cluster targeting FortiClient Endpoint Management Server (EMS) is using the already-patched CVE-2026-35616 — Fortinet PSIRT advisory FG-IR-26-099 — to deploy a previously undocumented credential stealer that Arctic Wolf has named EKZ. The payload is delivered to managed endpoints through FortiClient's own management pathway, disguised as a routine Fortinet patch. Arctic Wolf's writeup, FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer, and follow-on reporting at BleepingComputer and Help Net Security describe a cluster active in May 2026.

No vendor has attributed the activity to a named group.

The bug

CVE-2026-35616 is an improper access control flaw (CWE-284) in the FortiClient EMS API that lets an unauthenticated attacker bypass authentication on a crafted request and reach privileged endpoints — pre-authentication remote code execution, CVSS 9.1 per Fortinet's advisory. CISA added it to the Known Exploited Vulnerabilities catalog shortly after Fortinet's disclosure. watchTowr's Attacker Eye sensors observed in-the-wild exploitation on March 31, 2026 — four days before Fortinet's advisory landed on April 4, 2026.

Affected and fixed versions

  • Affected: FortiClient EMS 7.4.5 and 7.4.6.
  • Not affected: the 7.2 branch.
  • Permanent fix: 7.4.7.
  • Out-of-band hotfixes are also available for 7.4.5 and 7.4.6.
  • FortiClient Cloud and FortiSASE were remediated server-side by Fortinet.

What's new this week

The April advisory and the first wave of exploitation were widely covered. What changed in late May is the payload: Arctic Wolf observed threat actors using an EMS-managed deployment to push a base64-encoded PowerShell loader to every endpoint reporting to the server. The script:

  1. Downloads a payload from a hard-coded VPS (Arctic Wolf-published IOC 83.138.53.110) with several fallback methods.
  2. Writes the binary to disk and executes it silently.
  3. Sleeps roughly 90 seconds.
  4. POSTs harvested data back to the same C2 over plain HTTP.

The malicious script files land in FortiClient's standard VPN logging path — C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts\{GUID}.cmd — and the stealer's staging log is written to C:\ProgramData\log.txt. The dropped binary is EKZ Infostealer, named after internal symbols Arctic Wolf recovered from the decrypted code; it targets Chrome and Firefox credential stores and includes a bypass for Chrome's encrypted-password storage.

Because EKZ rides FortiClient's legitimate management channel, the EDR/AV layer sees signed Fortinet binaries doing what FortiClient normally does. Every EMS-managed endpoint becomes reachable without a separate intrusion path.

Action checklist

  1. Upgrade FortiClient EMS to 7.4.7 or apply the out-of-band hotfix for 7.4.5 / 7.4.6 if you cannot move major versions today. The April advisory is the patch baseline; if you haven't applied it yet, your EMS is already in scope for this campaign.
  2. Hunt for the Arctic Wolf IOCs on every endpoint managed by EMS:
    • File: C:\ProgramData\log.txt
    • Path: C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts\{GUID}.cmd
    • Network: outbound HTTP to 83.138.53.110
    • PowerShell process activity launched by a FortiClient parent process in the last 60 days
  3. Rotate browser-stored credentials for any user whose endpoint was managed by a vulnerable EMS at any point since April 4, 2026. EKZ targets browser credential stores specifically; assume any saved password in Chrome or Firefox on a compromised endpoint is in the attacker's hands.
  4. Audit EMS console access. The exploit is pre-auth at the API layer, but the attack chain depends on the management pathway being reachable from the internet or from an attacker-controlled network position. Restrict EMS admin and management interfaces to a jump host or VPN.
  5. Federal civilian agencies: confirm KEV remediation evidence is on file. The KEV entry is the binding directive — patch or remove from service.

Context

This is the second pre-authentication RCE in FortiClient EMS to be exploited in the wild in 26 months. CVE-2023-48788, a SQL injection in the EMS DAS component, was added to KEV in March 2024 after Horizon3 published a working PoC. The architectural problem is the same in both cases: an endpoint-management server is, by definition, a high-trust software-distribution pipeline to every machine it manages. A pre-auth bug at that layer collapses straight into push-execution across the fleet.

The May-2026 cluster is the second campaign this month that we've covered where attackers used a trusted distribution channel to ship a credential stealer disguised as a legitimate update — the Nx Console / GitHub repo exfiltration was the other. The delivery mechanic is interchangeable; the design pattern that makes both viable is not. Treat any console that can push code to managed endpoints — EDR, EMS, MDM, RMM, CI build agents — as a Tier-0 asset whose admin plane belongs behind the same controls you put around a domain controller.

Related stories