Exploiting Trust: How CVE-2026-35616 Turns FortiClient EMS into a Malware Distribution Engine

Security teams are currently navigating a sophisticated new threat landscape where the very tools meant to secure an organization are being turned against it.

A critical vulnerability in the FortiClient Endpoint Management Server (EMS) is being actively exploited to distribute a deceptive “patch” that secretly deploys credential-stealing malware.

The flaw, tracked as CVE-2026-35616, represents a severe authentication bypass within the EMS API. This allows unauthenticated attackers to issue highly privileged requests, effectively transforming a centralized management server into a remote code execution (RCE) platform for every managed device in the enterprise fleet.

Arctic Wolf Labs recently documented a threat cluster utilizing this weakness to deploy a novel infostealer known as EKZ. Because FortiClient EMS is designed to manage endpoint policies and VPN configurations globally, it serves as a high-leverage target for adversaries seeking to achieve massive scale through the abuse of legitimate administrative trust.

Command line usage details
Command line usage details are shown when the credential stealer payload is executed without arguments. (Source: arcticwolf)

The Anatomy of the Attack: From API Bypass to Payload Delivery

The intrusion begins with attackers interacting with exposed EMS instances over HTTP. By sending specially crafted requests, they bypass authentication requirements—even without valid certificates. Forensic analysis by Arctic Wolf revealed a telltale sign of exploitation: the EMS log entry “Certificate not found in request header,” followed immediately by logs indicating successful updates from a fabricated “Fortinet fabric device identity.” To mask their movements, the attackers often utilized Tor exit nodes to facilitate subsequent malicious login activity.

Rather than attacking individual endpoints, the actors pivot to modifying the EMS configuration itself. By altering Remote Access Profiles and endpoint policies, they inject malicious scripts into the management pipeline. They specifically target the “on_connect” behavior of VPN configurations. This means that as soon as a user establishes an IPsec VPN tunnel to a FortiGate firewall, the malicious script executes silently on the local machine.

Technically, the execution chain follows a predictable pattern: fortitray.exe (a legitimate FortiClient component) spawns a cmd.exe process, which in turn launches a Base64-encoded PowerShell script. This script downloads the final payload from an attacker-controlled IP (83.138.53[.]110) and executes it under the guise of FortiEndpoint_Patch.exe.

EKZ Log file example
An example log file emitted by the credential stealer. (Source: arcticwolf)

EKZ Infostealer: Deep Browser Data Exfiltration

The core payload, the EKZ Infostealer, is a MinGW-compiled Windows binary specifically engineered to harvest high-value credentials from both Chromium and Gecko-based browsers.

  • Chromium-based (Chrome, Edge, etc.): EKZ identifies browser installations via the registry, extracts the os_crypt.app_bound_encrypted_key from the Local State file, and uses the IElevator::DecryptData Windows interface to derive the AES-256 master key. This allows it to decrypt SQLite databases containing passwords, cookies, and autofill data.
  • Gecko-based (Firefox): The malware dynamically loads nss3.dll to access standard credential stores like key4.db and logins.json.

The stolen data—including session cookies that can bypass Multi-Factor Authentication (MFA) via session reuse—is aggregated into a local SQLite store and exfiltrated to the attacker’s infrastructure.

Mitigation and Defensive Posture

This campaign highlights a shift toward weaponizing “trusted” management infrastructure. Instead of traditional phishing, attackers are compromising the supply chain of endpoint management to ensure near-guaranteed execution.

Immediate Actions for Defenders:

  1. Patch Immediately: Upgrade all FortiClient EMS instances to the latest vendor-supplied versions to remediate CVE-2026-35616.
  2. Network Hardening: Restrict access to the EMS management port (8013) to trusted administrative IP ranges only; do not expose it to the open internet.
  3. Threat Hunting: Scan EMS logs for “Certificate not found in request header” entries, investigate logins originating from Tor exit nodes, and monitor for unexpected PowerShell execution chains triggered by VPN connectivity.
  4. Incident Response: If compromise is suspected, prioritize rotating browser-stored credentials and invalidating all active session tokens for affected users.

Related Articles

Back to top button