News

Hackers exploit FortiClient EMS flaw to push infostealer malware

By Nina Kowalski · Cybersecurity Correspondent 2 days ago

Threat actors actively exploit a critical authentication bypass flaw in Fortinet's FortiClient Enterprise Management Server to distribute EKZ, a previously undocumented credential stealer targeting enterprise environments.

The vulnerability, tracked as CVE-2026-35616, allows unauthenticated attackers to bypass security controls on FortiClient EMS installations. Researchers identified the exploit being weaponized in the wild to deliver EKZ, an information stealer that harvests credentials and sensitive data from compromised systems.

FortiClient EMS manages endpoint security policies and agent deployments across enterprise networks, making it a high-value target. Compromise of an EMS instance gives attackers administrative access to push malware or configuration changes to all connected endpoints simultaneously. This amplification effect means a single vulnerable server can compromise hundreds or thousands of client machines.

EKZ operates as a standalone stealer, extracting credentials stored in browsers, email clients, and other applications. The malware also appears designed to exfiltrate system information and configuration data useful for lateral movement within networks.

Organizations running FortiClient EMS require immediate action. The authentication bypass means attackers need only network access to the EMS server, not valid credentials. Patching is critical. Fortinet released updates addressing CVE-2026-35616. Until patches deploy, organizations should restrict network access to EMS servers through firewalls, segment them on isolated networks, and monitor for suspicious administrative activity.

The disclosure reveals a dangerous pattern where enterprise management tools become attack vectors. Attackers gain foothold access, then use compromised management infrastructure to distribute secondary payloads across the entire endpoint fleet. This approach reduces reconnaissance time and increases the number of infected systems.

Organizations should verify whether EKZ has executed on their networks by reviewing FortiClient logs for unauthorized policy pushes or suspicious executable deployments. Endpoint detection tools should

Key facts

The vulnerability, tracked as CVE-2026-35616, allows unauthenticated attackers to bypass security controls on FortiClient EMS installations.
Researchers identified the exploit being weaponized in the wild to deliver EKZ, an information stealer that harvests credentials and sensitive data from compromised systems.
FortiClient EMS manages endpoint security policies and agent deployments across enterprise networks, making it a high-value target.
Compromise of an EMS instance gives attackers administrative access to push malware or configuration changes to all connected endpoints simultaneously.

Why it matters

This general story is part of CyberWireDaily's daily monitoring of sources, companies, institutions, and trends shaping security breaches, threats & cyber news.

Source context

This article summarizes and contextualizes reporting from BleepingComputer. The visible original source link is retained so readers can review the primary report directly.

Hackers exploit FortiClient EMS flaw to push infostealer malware

Key facts

Why it matters

Source context

Related reading

ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface

Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit

New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

Get Daily CyberWireDaily