Skip to main content
Emerging ThreatsMalware & Ransomware

Hackers Exploit FortiClient Flaw to Deliver Infostealer Malware

Network device sits prominently in a server room with management console blurred in background.

"Rather than relying on a generic malware lure, the payload was presented as a Fortinet endpoint update and executed through FortiClient-managed VPN scripting workflows," Arctic Wolf reported.

The flaw: CVE-2026-35616 in FortiClient Enterprise Management Server

Security teams are responding to an improper access control vulnerability — tracked as CVE-2026-35616 — in FortiClient Enterprise Management Server (EMS). The weakness allows unauthenticated remote actors to execute arbitrary code or commands by sending specially crafted requests. Fortinet confirmed exploitation in early April and issued emergency hotfixes for FortiClient EMS versions 7.4.5 and 7.4.6.

At the time of the emergency response, The Shadowserver Foundation reported roughly 2,000 internet-exposed EMS instances. CISA reacted by ordering federal agencies to secure their EMS deployments by the end of that week.

How attackers used EMS APIs and VPN scripting to deliver malware

Arctic Wolf's investigation lays out a clear, fast-moving attack chain that begins with unauthenticated abuse of EMS endpoint APIs to perform administrative actions. The attacker modified EMS configuration and VPN policy objects to inject execution of malicious scripts into endpoint workflows.

Seconds after affected endpoints established an IPsec tunnel to a FortiGate firewall, a legitimate Fortinet process — fortitray.exe — launched attacker-controlled batch scripts via Command Prompt. Those scripts ran a base64-encoded PowerShell payload that downloaded and executed a malicious binary disguised as a Fortinet patch. Data was then exfiltrated over HTTP to an attacker-controlled VPS.

Arctic Wolf emphasizes the deception: the malware was presented to users and systems as an official Fortinet endpoint update and executed through FortiClient-managed VPN scripting workflows rather than a generic social-engineering lure.

EKZ Infostealer: targets and capabilities

The downloaded payload has been tracked by Arctic Wolf as the EKZ Infostealer. It implements information-stealing functions that target both Chromium-based browsers and Firefox. In observed behavior, EKZ extracts stored browser data into text files while bypassing encrypted password protections.

Arctic Wolf reports EKZ seeks credentials, credit card details, addresses, phone numbers, and cookies. The malware exfiltrates harvested browser data to the attacker-controlled VPS; the report notes cookies can provide access to accounts protected by multi-factor authentication "without loging it." Local artifacts were removed after execution in the observed intrusions.

Arctic Wolf indicators and recommended detection steps for defenders, federal agencies, and Fortinet customers

Arctic Wolf highlights several log and configuration signals defenders can look for. In lab tests one useful indicator was a log line reading "Certificate not found in request header," followed seconds later by an entry such as "Certificate user: fortinet-ca2 … successfully updated." The researchers advise monitoring for certificate-authentication anomalies and unexpected changes to Remote Access Profile configurations.

The report also calls out suspicious administrative activity as a red flag: new accounts, logins originating from unfamiliar places (examples cited include Tor or VPS IP addresses), or any actions that produce configuration changes. Arctic Wolf's report includes extensive detection guidance intended to help organizations detect and block the observed attack pattern.

Practically speaking, the immediate remediation steps already taken in response to the incident include Fortinet's release of emergency hotfixes for EMS versions 7.4.5 and 7.4.6, and CISA's directive for federal agencies to secure affected instances quickly.

Conclusion: a focused deception with broad implications

This incident illustrates a narrow technical weakness used to mount a broad deception: administrative APIs and VPN scripting, when abused, can convert a trusted endpoint-management framework into a delivery mechanism for an infostealer. The sequence is straightforward, rapid, and difficult to spot without attention to certificate-authentication anomalies and configuration drift in EMS-managed VPN profiles.

Organizations running FortiClient EMS should validate that hotfixes for affected versions are applied, review VPN scripting and Remote Access Profile changes for unauthorized edits, and watch for the log strings Arctic Wolf identified. Arctic Wolf's full detection guidance is available to defenders seeking actionable steps to find and evacuate this specific intrusion pattern.

Source: Bleeping Computer — Hackers exploit FortiClient EMS flaw to push infostealer malware