Vulnerability in FortiClient EMS Exposes Enterprise Devices to New Infostealer Malware
FortiClient EMS Vulnerability Exploited in Broad-Spectrum Infostealer Attacks
A recently discovered vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) has been exploited by attackers to deliver a sophisticated infostealer to enterprise computers.
The Vulnerability:
The vulnerability, which was publicly disclosed in early April by Fortinet, allows attackers to bypass API authentication and authorization, enabling them to interact with EMS functionality that typically requires administrative access, including updating configuration settings and inserting malicious scripts for execution on endpoint devices.
Follow-On Actions:
- Updating the “remind_upgrade_after” configuration to defer firmware upgrade reminders
- Editing the Remote Access Profile configuration and endpoint policy to insert a malicious script for execution on endpoint devices
The Malware:
The malicious payload delivered to target endpoints is a MinGW-compiled Windows credential stealer, dubbed EKZ Infostealer. This malware is capable of harvesting session cookies, credentials, and autofill data stored by browsers and software using the Chromium and Gecko engines, including Google Chrome, Microsoft Edge, Opera, Brave, Vivaldi, Mozilla’s Firefox, and others.
“While not directly observed in this infection chain, several other malicious samples were recovered from the threat-actor-controlled HTTP server, including files with names like ‘FortiEndpoint_Patch.2.4.9.zip’, ‘Microsoftr Windowsr Operating System-Installer.exe’, and ‘fil_api_ms_win_crt_apibase_l1_1_0.dll’.” – Arctic Wolf researchers
Indicators of Compromise:
- Certificate errors
- New accounts
- Suspicious/unfamiliar logins
- Execution-enabling configuration changes
Recommendations:
- Check logs for specific headers
- Change affected passwords
- Revoke active sessions
- Cancel and reissue payment cards
- Perform thorough remediation
About Author
English