Home Briefings FortiClient EMS Active Exploitation: Threat Actors Deploying EKZ Infostealer Via Fake Fortinet Patch
Flash Briefing critical HealthcareFinanceCritical Infrastructure

FortiClient EMS Active Exploitation: Threat Actors Deploying EKZ Infostealer Via Fake Fortinet Patch

Adversary Wire · ·4 min read

Threat actors are actively exploiting a critical pre-authentication bypass vulnerability in Fortinet’s FortiClient Endpoint Management Server (EMS), using access to the management platform to push credential-stealing malware to managed endpoints. Fresh exploitation activity has been confirmed in May 2026, prompting an NHS England Digital cyber alert and renewed warnings from multiple security vendors. Organisations running FortiClient EMS versions 7.4.5 or 7.4.6 that have not applied the available patch or hotfix should treat this as an urgent remediation priority.

Vulnerability and Attack Chain

CVE-2026-35616 carries a CVSS score of 9.1 and is an improper access control flaw in the FortiClient EMS API. An unauthenticated attacker with network access to the EMS server can send crafted API requests that bypass authentication and authorisation controls entirely, achieving code execution on the underlying server without valid credentials or user interaction.

First observed by watchTowr’s monitoring infrastructure on 31 March 2026 and formally disclosed by Fortinet on 4 April, the vulnerability was added to CISA’s Known Exploited Vulnerabilities catalogue on 6 April. What makes the current May 2026 activity notable is the specific malware delivery campaign Arctic Wolf has now documented in detail.

Once attackers gain control of the EMS server, they are using the platform’s legitimate software distribution capability against the organisations it manages. The threat cluster is deploying a payload disguised as an official Fortinet endpoint software update — a fake patch delivered through the same channel administrators use to push legitimate updates. The malicious executable runs via PowerShell on managed endpoints, installing the EKZ Infostealer without triggering alerts in environments that trust EMS-originated updates by policy.

EKZ Infostealer: Capabilities and Exfiltration

The EKZ Infostealer targets stored credentials in Google Chrome and Mozilla Firefox. Notably, the malware incorporates bypass techniques targeting Chrome’s encrypted credential storage — the App-Bound Encryption mechanism introduced in Chrome 127 — allowing it to extract credentials that earlier infostealers could not. Collected credentials are staged in local log files and exfiltrated to attacker-controlled infrastructure over unencrypted HTTP.

The combination of pre-auth server access and management-plane-delivered malware creates a particularly effective propagation path. In a large enterprise with hundreds or thousands of FortiClient-managed endpoints, a single unpatched EMS instance becomes a credential harvesting platform operating under the guise of trusted software management.

Sector Exposure

The NHS England Digital alert (cc-4766) flags active exploitation risk for NHS trusts running FortiClient EMS. Healthcare organisations face compounded risk: FortiClient is widely deployed as an enterprise endpoint security solution, EMS instances are often not on aggressive patch cycles due to maintenance window constraints, and credential theft at scale in clinical environments creates downstream access risks to patient data systems and clinical applications.

Financial services organisations using FortiClient EMS across distributed branch environments are similarly exposed. The EKZ Infostealer’s credential harvesting capability, combined with Chrome’s dominance as an enterprise browser, means the attacker’s yield per compromised endpoint is high — browser-stored credentials commonly include corporate SSO sessions, financial platform access, and VPN credentials.

Organisations running FortiClient EMS should:

  1. Apply the patch immediately. Fortinet has released FortiClient EMS 7.4.7 addressing CVE-2026-35616. A hotfix is also available for organisations unable to upgrade immediately. This vulnerability is being actively exploited — patch timelines should be measured in hours, not the next maintenance window.

  2. Review EMS distribution logs. Audit recent software packages distributed to managed endpoints via EMS for unsigned or unexpected executables. The EKZ Infostealer campaign relies on the EMS software distribution channel — review what has been pushed since the beginning of April.

  3. Rotate credentials on affected endpoints. If there is any possibility that managed endpoints received the fake Fortinet update, treat all stored browser credentials on those endpoints as compromised. Force password resets and revoke active SSO sessions for the affected scope.

  4. Verify EMS network segmentation. FortiClient EMS servers should not be directly accessible from internet-facing networks. Ensure management interfaces are accessible only from designated administrator networks.

  5. Monitor for HTTP-based exfiltration. EKZ exfiltrates over unencrypted HTTP. Network-layer monitoring for unexpected outbound HTTP traffic from EMS-managed endpoints and the EMS server itself may surface active compromises.

Sources

Related Intelligence

Briefing Communications

ShinyHunters Publishes Charter Communications Customer Data After Vishing Compromise

Briefing legal

Silent Ransom Group Goes Physical: FBI Flash Alert as Gang Walks Operatives Into Law Firm Offices

Briefing Communications

TeamPCP's Mini Shai-Hulud: The Developer Supply Chain Worm That Hit GitHub, OpenAI, and Mistral -- Then Went Public