FortiClient Code Execution Vulnerability Exploited to Deploy EKZ Malware
Attackers are exploiting CVE-2026-35616 in FortiClient EMS to deploy a previously undocumented credential stealer, EKZ Infostealer, targeting enterprise endpoints.
A newly observed exploitation campaign targeting FortiClient Endpoint Management Server (EMS) has weaponized trusted administrative infrastructure to silently deploy a previously unreported credential stealer across managed enterprise endpoints. In May 2026, Arctic Wolf researchers identified a cluster of malicious activity exploiting CVE-2026-35616, an improper access control vulnerability in FortiClient EMS. The flaw allows unauthenticated threat actors to bypass API authentication and send privileged requests to affected deployments, effectively granting administrative control without valid credentials.
Once threat actors gained access to the EMS configuration, they modified the Remote Access Profile and endpoint policy to inject malicious scripts targeting all managed devices. FortiClient EMS supports script execution upon VPN tunnel establishment using on_connect directives, a legitimate feature that the attackers weaponized entirely. When affected endpoints are connected via an IPsec tunnel, fortitray.exe launched .cmd script files with GUID-based filenames stored within FortiClient's standard VPN logging path: C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts\{GUID}.cmd. These scripts decoded and executed a base64-encoded PowerShell payload that downloaded the malicious executable, ran it silently, waited 90 seconds, and exfiltrated output via HTTP POST to a threat-actor-controlled VPS at 83[.]138.53[.]110.
The downloaded payload, disguised as FortiEndpoint_Patch.exe, is a MinGW-compiled Windows binary that Arctic Wolf designated as EKZ Infostealer, named after internal symbol strings extracted from decrypted code. This tool was first observed in May 2026 and had not been previously documented. EKZ targets both Chromium-family browsers (Chrome, Edge) and Gecko-family browsers (Firefox, LibreWolf, Thunderbird). For Chromium browsers, it locates installations via the registry, copies itself into the browser's Application directory to pass Elevation Service path validation, and calls IElevator::DecryptData to obtain the v20 AES-256 master key before decrypting credential databases. For Firefox, it dynamically loads nss3.dll and extracts data from key4.db, logins.json, and cookies.sqlite.
Harvested data, including saved passwords, session cookies, and autofill entries like credit card details, is written to a log.txt in ProgramData, then exfiltrated on a timed schedule. The stolen session cookies are particularly dangerous, as they can enable account takeover even where MFA protections are in place, Arctic Wolf observed. Initial exploitation was also linked to login events from multiple Tor exit node IPs, including 185[.]220.101.15 and 192[.]42.116.14, within hours of the API authentication bypass.
Organizations relying on FortiClient EMS should treat this as a high-priority incident response trigger, given that a single EMS compromise translates to fleet-wide exposure across every managed endpoint. Mitigations include patching immediately to a fixed version addressing CVE-2026-35616, restricting management port access to trusted IP ranges, auditing VPN script configurations for unauthorized entries, hunting for IOCs such as GUID-named .cmd files in FortiClient's logs\Trace\scripts\ path, and rotating browser credentials on managed endpoints.