## Critical Vulnerability in FortiClient EMS Under Active Exploitation Threat actors are leveraging an improper access control flaw, tracked as **CVE-2026-35616**, in **FortiClient EMS**. This vulnerability allows unauthenticated remote attackers to execute arbitrary code or commands through specially crafted requests. The attacks involve deploying the **EKZ** infostealer under the guise of a legitimate **Fortinet** update. **Fortinet** acknowledged the active exploitation of the vulnerability in early April and released emergency hotfixes for versions 7.4.5 and 7.4.6. Responding to the escalating threat, **CISA** issued an order for federal agencies to patch their **Fortinet** instances immediately. At the time, **The Shadowserver Foundation** reported approximately 2,000 internet-exposed **EMS** instances. ## EKZ Infostealer Deployment Details Earlier this month, **Arctic Wolf** researchers uncovered attacks exploiting this vulnerability to deliver the **EKZ** infostealer. The initial intrusion involves abusing endpoint APIs to perform administrative actions without requiring authentication. Attackers then modify the **EMS** configuration and VPN policies to inject malicious script execution. Shortly after endpoints establish an IPsec tunnel to a **FortiGate** firewall, the legitimate `fortitray.exe` process launches malicious batch scripts via the command prompt. These scripts execute a base64-encoded PowerShell payload that downloads and runs the malware, disguised as a **Fortinet** patch, before exfiltrating sensitive data to an attacker-controlled VPS over HTTP. .jpg) _Malicious PowerShell code_ _Source: Arctic Wolf_ According to the **Arctic Wolf** report, "Rather than relying on a generic malware lure, the payload was presented as a **Fortinet** endpoint update and executed through **FortiClient**-managed VPN scripting workflows." "On affected endpoints, **FortiClient** components launched command scripts that invoked PowerShell, downloaded a credential stealer, executed it silently, and exfiltrated harvested browser data before removing local artifacts.” ## EKZ Infostealer Capabilities The **EKZ** Infostealer targets both Chromium-based and Firefox web browsers, extracting stored data to text files while bypassing encrypted password protections. It harvests credentials, credit card details, addresses, phone numbers, and cookies, potentially granting access to accounts protected by multi-factor authentication. .jpg) _Stealer executes without arguments_ _Source: Arctic Wolf_ ## Detection and Mitigation Recommendations **Arctic Wolf** notes that the presence of the log entry "Certificate not found in request header" followed by "Certificate user: fortinet-ca2 … successfully updated" may indicate an exploitation attempt. They recommend monitoring for certificate-authentication anomalies and unexpected changes to Remote Access Profile configurations. Additionally, any suspicious administrative activity, such as new accounts, logins from unfamiliar origins (Tor, VPS IP addresses), or actions leading to configuration changes, should be treated as potential indicators of compromise. Organizations are encouraged to review **Arctic Wolf's** comprehensive detection guidance to help prevent these attacks.