FortiClient EMS CVE-2026-35616: EKZ Infostealer Deployed
FortiClient EMS Zero-Day Deployed EKZ Infostealer
Fortinet’s endpoint management platform became the delivery mechanism for its own destruction. Attackers exploited CVE-2026-35616, a CVSS 9.8 improper access control flaw in FortiClient EMS, to push a credential-stealing payload disguised as a legitimate Fortinet patch to managed endpoints. The zero-day was actively exploited five days before Fortinet published its advisory, and Arctic Wolf’s investigation reveals the campaign was far more sophisticated than a generic drive-by — it weaponized the trust relationship between EMS and every endpoint it manages.
What CVE-2026-35616 Actually Does
The vulnerability is an improper access control flaw in the FortiClient EMS API. An unauthenticated attacker can send crafted HTTP requests that bypass authentication and authorization entirely, achieving remote code execution on the EMS server without credentials or user interaction. NVD rates it 9.8 critical; Fortinet’s own advisory lists it at 9.1.
Only FortiClient EMS versions 7.4.5 and 7.4.6 are affected. Versions 7.2 and below are not vulnerable. The flaw does not require any privileged access, valid accounts, or user interaction — it is a textbook pre-authentication RCE exposed through the management API.
Why EMS Compromise Multiplies Damage
FortiClient EMS is not just another server. It is the management plane for enterprise endpoint security — the system that enforces device policies, pushes VPN configurations, governs application firewall rules, and tracks compliance posture across every managed endpoint in an organization.
Compromising EMS gives an attacker control of that entire chain. As Horizon3.ai notes in their technical analysis, a compromised EMS instance allows manipulation of endpoint configurations, pushing of malicious policies, and lateral movement into the broader corporate environment. This is not a single-server problem — it is an endpoint fleet compromise via the management control plane.
This is the second unauthenticated RCE in FortiClient EMS disclosed within weeks. CVE-2026-21643, a separate critical flaw in the same product, was also actively exploited before disclosure. The two vulnerabilities have not been linked to the same threat actor, but the pattern is clear: Fortinet’s EMS platform has become a high-value target for initial access operations.
The EKZ Infostealer Campaign
On May 27, 2026, Arctic Wolf published findings from their incident response engagements. The threat cluster exploited CVE-2026-35616 to deliver a custom infostealer they designated EKZ, named after internal symbol strings found in the decrypted payload.
The attack chain works as follows:
- Attackers exploit CVE-2026-35616 to gain RCE on the EMS server
- They use EMS management capabilities to push what appears to be a Fortinet endpoint patch to managed devices
- The fake patch is actually EKZ Infostealer, which silently executes via PowerShell
- EKZ harvests credentials from Chrome and Firefox, including bypass techniques for Chrome’s encrypted password storage
- Stolen credentials are staged in a local log file and exfiltrated over HTTP
The sophistication here is the abuse of trust. Endpoints are configured to accept updates from EMS. The payload arrives through the legitimate management channel, signed off by the same infrastructure that handles actual security policy. Traditional endpoint detection that trusts EMS-sourced deployments would miss this entirely.
Timeline and Exposure Scope
The timeline of this incident deserves attention from every security team running Fortinet infrastructure:
| Date | Event |
|---|---|
| March 31, 2026 | watchTowr sensors detect active exploitation of the zero-day |
| April 4, 2026 | Fortinet publishes security advisory and out-of-band hotfix |
| April 6, 2026 | CISA adds CVE-2026-35616 to Known Exploited Vulnerabilities catalog |
| April 6, 2026 | Shadowserver reports ~2,000 publicly exposed FortiClient EMS instances |
| May 27, 2026 | Arctic Wolf reveals EKZ Infostealer campaign leveraging the zero-day |
watchTowr detected exploitation attempts on March 31 — five full days before Fortinet acknowledged the vulnerability. As watchTowr CEO Benjamin Harris told CyberScoop, early exploitation was limited, reflecting typical attacker behavior of testing a zero-day quietly before ramping up. Once the advisory went public, exploitation surged.
The timing of the initial exploitation is also notable. It began over the Easter holiday weekend, a pattern Harris flagged as deliberate: security teams at half strength, on-call engineers distracted, detection windows stretching from hours to days.
Remediation: What to Do Right Now
The remediation path is straightforward but demands urgency:
- Identify exposure. Inventory every FortiClient EMS instance in the environment. Determine which are running 7.4.5 or 7.4.6 and which are internet-facing. The ~2,000 exposed instances Shadowserver found represent the lowest-hanging fruit for attackers.
- Apply the hotfix immediately. Fortinet released hotfixes for both affected versions. Hotfix 7.4.5.2111 addresses 7.4.5 deployments. The hotfix does not require system downtime. Do not defer this waiting for the full 7.4.7 release.
- Restrict network access. If patching cannot happen immediately, restrict access to EMS management and agent-facing services to trusted internal hosts only. No EMS instance should be exposed to the internet without a VPN or zero-trust network access layer in front of it.
- Hunt for compromise. In the absence of published IOCs from Fortinet, review logs for anomalous API requests against the EMS server, unexpected processes executing on the EMS host, and unauthorized changes to endpoint policies, VPN configurations, or administrator accounts.
- Rebuild if compromised. If compromise is suspected, do not attempt in-place remediation. Restore from a known-good backup taken before March 31, or rebuild the EMS instance entirely. As multiple researchers have advised, a full rebuild is the most defensible approach when EMS integrity cannot be verified.
Management Planes Are the New Perimeter
CVE-2026-35616 fits a pattern that security teams need to internalize: management planes are the new perimeter, and Fortinet is a recurring target. CISA has added ten Fortinet vulnerabilities to its Known Exploited Vulnerabilities catalog since early 2025, according to VulnCheck VP of security research Caitlin Condon.
When an attacker compromises a management server, they inherit the trust relationships that server holds with every managed asset. The blast radius extends far beyond the single compromised host. EKZ Infostealer proves this: a single EMS RCE became a fleet-wide credential harvesting operation because the attacker leveraged the management channel as a distribution mechanism.
The defensive implications are clear. Management planes — whether FortiClient EMS, SCCM, Ansible Tower, or similar — need the same layered defense posture as any critical infrastructure: network segmentation, multi-factor authentication for all administrative access, rigorous logging, and above all, not exposing them to the internet without substantial access controls in front.
References
- Arctic Wolf — FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer
- watchTowr — Fortinet FortiClient EMS Zero-Day: CVE-2026-35616 (Active Exploitation Underway)
- Horizon3.ai — CVE-2026-35616: FortiClient EMS Analysis
- CyberScoop — Fortinet customers confront actively exploited zero-day
- NVD — CVE-2026-35616 Detail
- Help Net Security — FortiClient EMS zero-day exploited, emergency hotfixes available
- Greenbone — Fortinet EMS Vulnerabilities Actively Exploited