Hackers exploit FortiClient EMS flaw to push infostealer malware

Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Undertaking Control Server (EMS) to ship an undocumented credential stealer referred to as EKZ.

The attacker disguised the malware as an replace for Fortinet endpoints and performed it thru VPN scripting workflows controlled by way of FortiClient.

The exploited crucial vulnerability is an mistaken get entry to regulate flaw that permits unauthenticated faraway attackers to execute arbitrary code or instructions by the use of specifically crafted requests.

Fortinet showed in early April that it used to be being exploited and launched emergency hotfixes for variations 7.4.5 and seven.4.6 of the product.

CISA reacted briefly to the malicious process and ordered federal businesses to safe their cases by way of the top of that week, whilst the information superhighway safety watchdog crew The Shadowserver Basis reported on the time that it used to be seeing 2,000 internet-exposed EMS cases.

Previous this month, cybersecurity corporate Arctic Wolf noticed assaults leveraging the vulnerability to ship the EKZ infostealer. The researchers word that the intrusion starts with abusing endpoint APIs to accomplish administrative movements with out authentication.

The attacker then modifies the EMS configuration and VPN insurance policies to introduce the execution of malicious scripts. Seconds after endpoints established an IPsec tunnel to a FortiGate firewall, the professional fortitray.exe introduced malicious batch scripts thru Command Urged.

The ones scripts performed a base64-encoded PowerShell payload that downloaded and ran malware disguised as a Fortinet patch, then exfiltrated knowledge to an attacker-controlled VPS over HTTP.

“Relatively than depending on a generic malware trap, the payload used to be introduced as a Fortinet endpoint replace and performed thru FortiClient-managed VPN scripting workflows,” reads the record from Arctic Wolf.

“On affected endpoints, FortiClient elements introduced command scripts that invoked PowerShell, downloaded a credential stealer, performed it silently, and exfiltrated harvested browser knowledge prior to putting off native artifacts.”

The downloaded payload, tracked as EKZ Infostealer, options slightly usual information-stealing capability. It objectives each Chromium-based and Firefox internet browsers and extracts saved knowledge to textual content information whilst bypassing encrypted password protections.

The malware objectives credentials, bank card main points, addresses, telephone numbers, and cookies, which offer get entry to to accounts safe by way of multi-factor authentication with out loging it.

In line with Arctic Wolf, one indication of an exploitation strive in assaults handing over the EKZ infostealer is the presence within the logs of the road “Certificates now not present in request header.” In lab assessments, the mistake used to be adopted in seconds by way of any other access: Certificates consumer: fortinet-ca2 … effectively up to date

As such, the researchers counsel defenders search for certificate-authentication anomalies and surprising adjustments to Far off Get right of entry to Profile configurations.

Any suspicious administrative process, similar to new accounts, logins with an unfamiliar starting place (Tor, VPS IP addresses), or movements resulting in configuration adjustments, must be thought to be crimson flags.

Arctic Wolf’s record supplies in depth detection steerage that would lend a hand organizations save you the noticed assaults.