Cybersecurity researchers have uncovered active attacks exploiting a critical vulnerability in FortiClient Enterprise Management Server (EMS) to distribute a previously undocumented credential-stealing malware known as EKZ Infostealer.

The attacks leverage CVE-2026-35616, an authentication bypass flaw in FortiClient EMS that enables unauthenticated remote attackers to execute arbitrary commands or code through specially crafted requests. The vulnerability stems from improper access control mechanisms and has been actively exploited in the wild.

Threat actors reportedly disguised the malware as a legitimate Fortinet endpoint update and delivered it through VPN scripting workflows managed by FortiClient. Fortinet acknowledged the exploitation of the flaw in early April and subsequently issued emergency hotfixes for versions 7.4.5 and 7.4.6 of the software.

Following reports of malicious activity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) instructed federal agencies to secure vulnerable systems within days. Around the same period, The Shadowserver Foundation identified approximately 2,000 internet-exposed EMS instances.

Researchers at Arctic Wolf recently observed threat actors using the vulnerability to deploy the EKZ Infostealer. According to the company, attackers begin by abusing endpoint APIs to carry out administrative actions without requiring authentication.

After gaining access, the attackers alter EMS configurations and VPN policies to enable the execution of malicious scripts. Once an endpoint establishes an IPsec connection with a FortiGate firewall, the legitimate FortiClient process, fortitray.exe, launches malicious batch scripts through Command Prompt.

These scripts then execute a Base64-encoded PowerShell payload that downloads malware disguised as a Fortinet software update. The payload subsequently collects data from the victim's device and sends it to an attacker-controlled virtual private server (VPS) over HTTP.

“Rather than relying on a generic malware lure, the payload was presented as a Fortinet endpoint update and executed through FortiClient-managed VPN scripting workflows,” reads the report from Arctic Wolf.

“On affected endpoints, FortiClient components launched command scripts that invoked PowerShell, downloaded a credential stealer, executed it silently, and exfiltrated harvested browser data before removing local artifacts.”

The malware, tracked as EKZ Infostealer, is designed to harvest sensitive information from both Chromium-based and Firefox browsers. It extracts stored browser data into text files and is capable of bypassing encrypted password protections.

Among the targeted data are login credentials, credit card information, addresses, phone numbers, and browser cookies. By stealing cookies, attackers may gain access to accounts protected by multi-factor authentication without needing the user's credentials.

Arctic Wolf noted that one potential indicator of compromise is the appearance of the log entry “Certificate not found in request header.” During testing, this message was often followed within seconds by another log entry indicating that a certificate associated with "fortinet-ca2" had been successfully updated.

Security teams are advised to monitor for unusual certificate authentication events and unauthorized modifications to Remote Access Profile settings. Additionally, suspicious administrative actions, newly created accounts, logins originating from unfamiliar locations such as Tor networks or VPS-hosted IP addresses, and unexpected configuration changes should be treated as potential warning signs of compromise.

Arctic Wolf has also released detailed detection and mitigation guidance to help organizations identify and defend against these attacks.