Breaking Down the FortiClient Breach: CVE-2026-35616 and the Rise of EKZ Infostealer
Threat actors are increasingly targeting centralized management platforms to turn trusted administrative workflows against the organizations that rely on them. Instead of developing complex intrusion paths to every individual device, modern malware groups are abusing the very tools designed to manage and protect enterprise endpoints.
According to recent findings, a threat cluster has been observed exploiting a critical vulnerability, CVE-2026-35616, in FortiClient Endpoint Management Server (EMS) to deploy a previously unreported credential stealer named EKZ Infostealer. The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints, with the malicious payload disguised as a fake Fortinet endpoint patch.
Background on EKZ Infostealer Operations
A threat cluster observed in May 2026 operates by abusing trusted endpoint management infrastructure to turn legitimate administrative workflows against targeted organizations. The group focuses on compromising centralized management platforms rather than developing complex intrusion paths to every individual device.
Once the threat actors gain a route to modify EMS-managed configuration, every managed endpoint becomes a potential execution target without requiring a separate intrusion path to each device. The group uses FortiClient's own management pathway to push malicious PowerShell commands to managed endpoints, demonstrating a sophisticated understanding of enterprise security tools.
The credential stealer payload deployed in this campaign, designated as EKZ Infostealer, supports credential extraction from Chrome and Firefox, including bypass techniques targeting Chrome's encrypted password storage mechanisms. The malware stages its harvested results in a log file and exfiltrates obtained credentials over HTTP to threat-actor-controlled infrastructure.
The campaign leverages CVE-2026-35616, an improper access control vulnerability in FortiClient EMS. By sending specially crafted HTTP requests without valid credentials, unauthenticated attackers can bypass API authentication and interact with EMS functionality as if they were legitimate administrators. This access allows them to modify Remote Access Profiles and endpoint policies, inserting malicious scripts that are then pushed to every managed endpoint. Fortinet released out-of-band patches in early April 2026, and CISA later added the flaw to its Known Exploited Vulnerabilities catalog.
Vulnerability Details
CVE-2026-35616:
• Vulnerability: Improper Access Control Vulnerability in FortiClient EMS
• CVSS Score: 9.8
• EPSS Score: 43.21%
Infection Method
The attackers gain initial access by exploiting CVE-2026-35616. When specially crafted HTTP requests are sent to certain FortiClient EMS endpoints without valid credentials, the requests are processed as if they were legitimate administrative actions. From that point onward, threat actors can interact with EMS functionality that would normally require administrative access.
The threat actors then perform follow-on actions, such as updating the remind_upgrade_after configuration to defer firmware upgrade reminders, as well as editing the Remote Access Profile configuration and endpoint policy to insert a malicious script for execution on endpoint devices.
Within seconds of affected endpoints establishing an IPsec tunnel to the configured FortiGate firewall, fortitray.exe was observed launching .cmd script files via cmd.exe. From there, the cmd script launched a malicious base64-encoded PowerShell script. This script attempts to download a malicious payload using several fallback methods, runs the downloaded payload, sleeps for 90 seconds, then exfiltrates script output to a threat-actor-controlled Virtual Private Server host via HTTP POST.
Researchers also observed that the credential stealer payload was disguised as a Fortinet endpoint update, silently executing the malicious executable through PowerShell.
Indicators of Compromise (IOCs)
Malicious IP Addresses
• 83.138.53[.]110 —Threat-actor-controlled VPS host for payload delivery (/dl/p.exe) and data exfiltration
• 185[.]220.101.15 — Tor exit node IP address (AS60729 - Stiftung Erneuerbare Freiheit) used for malicious login events after exploitation
• 192[.]42.116.14 — Tor exit node IP address (AS215125 - Church of Cyberology) used for malicious login events after exploitation
Payload Delivery URL
• hxxp[:]//83[.]138[.]53[.]110/dl/p.exe
Exfiltration Endpoint
• hxxp[:]//83[.]138.53[.]110/service/save.php
Certificate Indicators
• 0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e -EKZ Infostealer (FortiEndpoint_Patch.exe / p.exe)
• d91c00fad521e76efa89715cca89db487d5676f2c767c883482f9c8f82bd383a - FortiEndpoint_Patch.2.4.9.zip
• fd65051c61a904a304919c04a8c8633c001183ac73ac461cd4d9057946f02bf5 - FortiEndpoint_Patch.2.4.9.msi
• 2927bc31b4f8254c6b332fc03110a6373cad00ffa2ff9de427c26bb222017bb2 - fil_api_ms_win_crt_apibase_l1_1_0.dll
• 2f25ea1b622abf3212141af932c2ec4cbd6b2b5903c2a531121f691227d98cff - Microsoftr Windowsr Operating System-Installer.exe (Note the threat actor’s misspelling in the filename).
System Artifacts
• Creation of C:\ProgramData\log.txt (staged credentials)
• Script files located at
C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts\{GUID}.cmd
MITRE ATT&CK Mapping
| Tactic ID | Technique ID |
|---|---|
| TA0001 - Initial Access | T1190 - Exploit Public-Facing Application |
| TA0002 - Execution | T1059 - Command and Scripting Interpreter |
| TA0003 - Persistence | T1098 - Account Manipulation |
| TA0006 - Credential Access | T1555 - Credentials from Password Stores |
| TA0005 - Defense Evasion | T1027 - Obfuscated Files or Information |
| TA0008 - Lateral Movement | T1021 - Remote Services |
| TA0010 - Exfiltration | T1041 - Exfiltration Over C2 Channel |
Attack Flow
• Initial Access → Exploit CVE-2026-35616 (FortiClient EMS) → Bypass API Authentication → Modify Remote Access Profile & Endpoint Policy → Insert Malicious PowerShell Script → Push to Managed Endpoints → Execute EKZ Infostealer → Harvest Browser Credentials → Exfiltrate via HTTP POST.
Mitigation
• Patch immediately: Organizations running affected versions of FortiClient EMS (7.4.5 and 7.4.6) should upgrade to a fixed version as soon as possible.
• Restrict network access to the FortiClient EMS management port (8013) to trusted IP ranges only.
• Monitor EMS logs for "Certificate not found in request header" followed by "Certificate user: fortinet-ca2 … successfully updated".
• Audit configuration changes for unexpected modifications to Remote Access Profiles and endpoint policies, especially those enabling script execution via on_connect.
• Monitor endpoint behavior for PowerShell execution spawned by fortitray.exe or ipsec.exe, particularly with base64-encoded commands.
• Continuously monitor for creation of log.txt files in ProgramData followed by HTTP POST requests.
• Apply security patches to internet-facing systems immediately after disclosure.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here