CVE-2026-35616: FortiClient EMS FLAW Leveraged to Deploy EKZ Infostealer

Published Date: May 29, 2026
Category: ShadowOpsIntel
Share:

A threat cluster exploited an authentication-bypass vulnerability in FortiClient Endpoint Management Server (EMS) to abuse trusted endpoint-management infrastructure as a malware delivery channel. Rather than intruding into each device individually, the actor compromised the management plane once and pushed a credential stealer (“EKZ Infostealer”) to managed endpoints disguised as a Fortinet endpoint patch.

Severity: Critical

Vulnerability Details

  • CVE ID: CVE-2026-35616
  • CVSS Score: 9.1
  • Type: Improper access control / API authentication bypass
  • Affected products: FortiClient EMS v7.4.5 through v7.4.6
  • Impact: Unauthenticated attackers send privileged HTTP requests processed as legitimate admin actions.

Attack Chain

  1. Initial access: Crafted unauthenticated HTTP requests to EMS API endpoints bypass authentication.
  2. Persistence/config abuse: Once inside, threat actors disabled or deferred upgrade reminders (remind upgrade after configuration) and edited the Remote Access Profile and endpoint policy to insert a malicious script triggered via the on connect directive.
  3. Endpoint execution: Upon establishing an IPsec tunnel to the designated FortiGate gateway, the endpoint client (fortitray.exe or ipsec.exe) executed a GUID-named .cmd script file out of the diagnostic logging path: C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts.
  4. Download: The script invoked a base64-encoded PowerShell string to download the primary binary payload (p.exe) from hxxp[:]//83.138.53[.]110/dl/p.exe.
  5. Process lineage: fortitray.exe / ipsec.exe → cmd.exe → powershell.exe → FortiEndpoint_Patch.exe
  6. Credential theft: Payload FortiEndpoint_Patch.exe (EKZ Infostealer) harvests browser credentials.
  7. Exfiltration: After a 90-second sleep, PowerShell exfiltrates log.txt output via HTTP POST, then deletes local artifacts.

Ekz Infostealer Capabilities

Characteristics: MinGW-compiled (GCC/Windows x86-64 console PE binary) with retained DWARF debug symbols but zeroed anti-attribution timestamp fields. It features an internal SQLite database for managing operator-driven command verbs (e.g., action list, view, export).

Chromium Target Mechanism:

  1. Identifies Chromium installations via the registry.
  2. Reads the os_crypt.app_bound_encrypted_key from the browser’s Local State file.
  3. Copies itself into the browser’s native installation directory and relaunches to trick the Chromium Elevation Service validation check.
  4. Calls IElevator::DecryptData to yield the v20 AES-256 master key, decrypting user profiles and SQLite databases.

Gecko/Firefox Target Mechanism: Dynamically loads nss3.dll to query standard credential stores (key4.db, logins.json, and cookies.sqlite).
Data Stolen: Session cookies (enabling MFA bypass), saved password credentials, and autofill data (credit cards, addresses).
Exfiltration: The tool cannot self-exfiltrate over the network. It dumps plain text results to C:\ProgramData\log.txt, which a scheduled PowerShell script reads, transmits via HTTP POST to the attacker’s IP, and subsequently deletes alongside the local executable.

Recommendations

  1. Prioritize identifying all internet-facing and internal FortiClient EMS deployments. Ensure vendor patches addressing CVE-2026-35616 are applied.
  2. Implement strict access control lists (ACLs) or firewall rules to ensure the FortiClient EMS administration and API endpoints are not exposed to the public internet.
  3. Flag any instances where fortitray.exe or ipsec.exe spawns cmd.exe or powershell.exe
  4. Implement application control rules to block or heavily scrutinize scripts running out of the FortiClient diagnostic logging directories, such as
    C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts.
  5. Check FortiClient EMS logs for the creation of unexpected administrative accounts or unauthorized configuration changes, such as modified firmware upgrade reminder settings (remind upgrade after).
  6. Look for CVE-2026-35616 exploitation signals:
    • EMS logs containing Certificate not found in request header
    • Followed within seconds by: Certificate user: fortinet-ca2 … successfully updated
  7. Hunt for EMS logins from Tor, VPS IP addresses, or unfamiliar ASNs
  8. Look for FortiEndpoint executables being staged in C:\ProgramData and subsequent creation of C:\ProgramData\log.txt
  9. Look for PowerShell spawned from cmd.exe under the C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts path, especially right after VPN/IPsec tunnel establishment.
  10. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/9ea2e1343ae15716167a6e9b4777fc117d563496bc7a6599391d57f700e05782/iocs

Source:

  • https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
  • https://fortiguard.fortinet.com/psirt/FG-IR-26-099

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Talk to an expert