Critical FortiClient EMS Vulnerability Exploited to Deploy EKZ Malware
In May 2026, cybersecurity researchers identified a sophisticated exploitation campaign targeting Fortinet’s FortiClient Endpoint Management Server (EMS). This campaign leverages a critical vulnerability, designated as CVE-2026-35616, to deploy a previously undocumented credential-stealing malware known as EKZ Infostealer across enterprise networks.
Understanding CVE-2026-35616
CVE-2026-35616 is an improper access control vulnerability within FortiClient EMS. This flaw allows unauthenticated attackers to bypass API authentication mechanisms, granting them administrative privileges without the need for valid credentials. By exploiting this vulnerability, threat actors can manipulate EMS configurations and policies, effectively taking control of managed endpoints.
Exploitation Methodology
Once attackers gain unauthorized access to the EMS, they modify the Remote Access Profile and endpoint policies to inject malicious scripts. FortiClient EMS includes a legitimate feature that executes scripts upon establishing a VPN connection, known as `on_connect` directives. The attackers exploit this feature by embedding harmful scripts that are triggered when endpoints connect via an IPsec tunnel.
The process unfolds as follows:
1. Script Deployment: The attackers place `.cmd` script files with unique GUID-based filenames in the FortiClient’s VPN logging directory:
`C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts\{GUID}.cmd`
2. Script Execution: Upon VPN connection, FortiClient’s `fortitray.exe` or `ipsec.exe` executes these scripts.
3. Payload Delivery: The scripts decode a base64-encoded PowerShell command that downloads and runs a malicious executable named `FortiEndpoint_Patch.exe`.
4. Data Exfiltration: The malware waits for 90 seconds before transmitting collected data via HTTP POST requests to a command-and-control (C2) server controlled by the attackers at IP address 83[.]138.53[.]110.
Initial signs of exploitation were linked to login attempts from multiple Tor exit nodes, including IPs 185[.]220.101.15 and 192[.]42.116.14, occurring within hours of the API authentication bypass.
EKZ Infostealer: A New Threat
The payload, `FortiEndpoint_Patch.exe`, is a Windows binary compiled using MinGW. Researchers have named this malware EKZ Infostealer, derived from internal symbol strings found within its decrypted code. First observed in May 2026, EKZ had not been documented prior to this campaign.
Targeted Browsers and Data Extraction
EKZ Infostealer is designed to extract sensitive information from both Chromium-based browsers (such as Google Chrome and Microsoft Edge) and Gecko-based browsers (including Mozilla Firefox and Thunderbird).
– Chromium Browsers: The malware locates browser installations via the Windows registry, copies itself into the browser’s application directory to pass security checks, and calls the `IElevator::DecryptData` function to retrieve the AES-256 master key. This key is then used to decrypt stored credential databases.
– Gecko Browsers: EKZ dynamically loads the `nss3.dll` library to access and extract data from files like `key4.db`, `logins.json`, and `cookies.sqlite`.
The harvested data includes saved passwords, session cookies, and autofill information such as credit card details. This information is stored in a file named `log.txt` within the `ProgramData` directory and is exfiltrated on a scheduled basis.
Implications of Session Cookie Theft
The theft of session cookies is particularly concerning. With these cookies, attackers can hijack user sessions, potentially bypassing multi-factor authentication (MFA) protections and gaining unauthorized access to sensitive accounts and systems.
Indicators of Compromise (IoCs)
Organizations should be vigilant for the following indicators of compromise associated with this exploitation campaign:
– IP Addresses:
– 83[.]138.53[.]110 (C2 server and payload host)
– 185[.]220.101.15 (Tor exit node used for unauthorized logins)
– 192[.]42.116.14 (Another Tor exit node used for unauthorized logins)
– File Hashes:
– SHA-256: 0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e (Malicious executable `FortiEndpoint_Patch.exe`)
Mitigation Strategies
To protect against this exploitation campaign, organizations should implement the following measures:
1. Patch Management: Ensure that all FortiClient EMS instances are updated to the latest version that addresses CVE-2026-35616.
2. Access Controls: Review and tighten access controls to the EMS, limiting exposure to trusted networks and users.
3. Monitor Logs: Regularly monitor EMS logs for unusual activities, such as unexpected script executions or configuration changes.
4. Endpoint Security: Deploy robust endpoint detection and response (EDR) solutions to identify and mitigate malicious activities on managed devices.
5. User Education: Educate users about the risks of credential theft and the importance of maintaining strong, unique passwords.
Conclusion
The exploitation of CVE-2026-35616 in FortiClient EMS to deploy EKZ Infostealer underscores the evolving tactics of cyber adversaries. By leveraging trusted administrative tools and features, attackers can infiltrate enterprise networks and exfiltrate sensitive data with minimal detection. Organizations must remain vigilant, promptly apply security patches, and implement comprehensive security measures to defend against such sophisticated threats.
