Hackers Exploit FortiClient EMS to Push EKZ Infostealer Disguised as an Official Fortinet Patch
Threat actors are exploiting CVE-2026-35616 in FortiClient EMS to deliver a new credential stealer called EKZ, disguised as a Fortinet endpoint patch. The malware harvests browser credentials from Chrome, Edge, and Firefox and exfiltrates them silently across all managed endpoints.

Corporate laptop displaying a suspicious software update notification in a modern office environment
A newly documented campaign is exploiting a critical vulnerability in Fortinet's FortiClient Endpoint Management Server to deliver a previously undocumented credential-stealing malware to enterprise endpoints. The payload arrives disguised as an official Fortinet software update.
The campaign, uncovered and reported by Arctic Wolf Labs in May 2026, centres on CVE-2026-35616, an improper access control flaw in FortiClient EMS carrying a CVSS score of 9.1. The vulnerability was first observed being exploited as a zero-day in late March 2026 and patched by Fortinet in early April, but active exploitation has continued against organisations that have not yet updated their deployments.
How the attack unfolds
FortiClient EMS is a centralised management platform used by IT teams to deploy, configure, and monitor endpoint security across an organisation's devices. It also controls VPN configurations and can execute scripts on managed endpoints when a VPN tunnel is established.
Attackers exploiting CVE-2026-35616 send specially crafted HTTP requests to exposed FortiClient EMS instances without valid credentials. Because of the improper access control flaw, these requests are processed as legitimate administrative actions, granting full administrative control of the management server.
Once inside, the threat actor modifies the Remote Access Profile and endpoint policy, injecting a malicious script that executes across all managed devices via FortiClient's on_connect VPN scripting feature. The script downloads a file named FortiEndpoint_Patch.exe, a convincing imitation of a legitimate Fortinet update, and executes it silently via PowerShell.
The payload is EKZ Infostealer, a tool first observed in May 2026 and not previously documented by any security vendor. It targets both Chromium-family browsers, including Chrome and Microsoft Edge, and Gecko-family browsers, including Firefox, LibreWolf, and Thunderbird.
For Chrome and Edge, EKZ bypasses the browser's encrypted password storage by calling the IElevator DecryptData interface directly. For Firefox, it loads the browser's cryptographic library and extracts data from the credential database. Harvested data including saved passwords, session cookies, and autofill entries such as payment card details is written to a local log file and exfiltrated on a timed schedule over HTTP.
Why this matters for enterprise security teams
The campaign is notable for what it weaponises: trust. FortiClient EMS is the trusted management plane for endpoint security. By compromising it, attackers turn the organisation's own patching and VPN automation infrastructure into a credential-harvesting delivery channel. Every device managed by the compromised EMS instance becomes a target simultaneously, without individual exploitation.
This pattern is particularly relevant for large enterprise environments in the GCC and MENA region, where FortiGate and FortiClient deployments are widespread across financial services, telecoms, and government contractors. A single exposed EMS instance can put an entire managed fleet at risk.
What to do now
Organisations running FortiClient EMS should upgrade immediately to version 7.4.7 or later, the version in which Fortinet addressed CVE-2026-35616. As an immediate containment measure, access to the EMS management port 8013 should be restricted to trusted administrative IP ranges only.
Security teams should audit Remote Access Profile configurations and endpoint policies for unauthorised modifications, and review VPN connection logs for credential authentication anomalies.
This campaign closely follows the confirmation of active exploitation of CVE-2026-0257, a Palo Alto PAN-OS GlobalProtect authentication bypass flaw, putting two of the most widely deployed enterprise security platforms under simultaneous active attack pressure this week.
Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA RegionOmar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.