CVE-2026-35616: FortiClient EMS Exploit Delivers EKZ Infostealer

Active Exploitation: FortiClient EMS Authentication Bypass to Deliver EKZ Infostealer

Runtime Rebel intelligence confirms active exploitation targeting FortiClient Enterprise Management Server (EMS) installations. Threat actors are leveraging an authentication bypass vulnerability, identified as CVE-2026-35616, to gain unauthorized access and deploy a previously undocumented credential stealer known as EKZ. This campaign poses an immediate and severe threat to organizations utilizing FortiClient EMS for endpoint management and security, highlighting the critical importance of prompt action to secure vulnerable systems, according to BleepingComputer.

Technical Analysis of the Attack Vector

The core of this attack lies in CVE-2026-35616, an authentication bypass flaw within FortiClient EMS. This vulnerability allows an unauthenticated attacker to bypass security checks and gain administrative control over the EMS console. FortiClient EMS is a centralized management platform designed to provide control and visibility over FortiClient endpoint agents. Compromising this server grants attackers a significant foothold, potentially allowing them to manage and deploy software, including malicious payloads, across a network of endpoints.

Once administrative access to FortiClient EMS is achieved via the authentication bypass, threat actors proceed to deploy the EKZ infostealer. The source describes EKZ as an undocumented credential stealer, indicating it is likely a custom or lesser-known malware variant. Infostealers are designed to harvest sensitive information, such as usernames, passwords, browser data, cryptocurrency wallet details, and other confidential data, from compromised systems. The deployment via a trusted management platform like FortiClient EMS makes detection more challenging, as the initial infection might appear as legitimate software deployment. The specific TTP employed involves using the compromised EMS to push the infostealer to managed endpoints, maximizing the potential impact of the initial breach.

CVE-2026-35616 FortiClient EMS Exploit Detection

Detecting signs of compromise related to the CVE-2026-35616 exploitation and subsequent EKZ infostealer deployment requires a multi-layered approach. Organizations should actively monitor for any unusual activity originating from their FortiClient EMS console. This includes unexpected software deployment tasks, unauthorized administrative logins, or changes to configuration settings. Network traffic anomalies, particularly outbound connections from managed endpoints that are inconsistent with normal operations, could indicate exfiltration attempts by the EKZ infostealer. Examining system logs on the FortiClient EMS server and managed endpoints for suspicious process execution, file modifications, or new user accounts is also crucial. Security teams should prioritize looking for IoC related to the EKZ infostealer as they become available.

Prioritizing Mitigation and Response

Addressing this critical threat demands immediate action. The primary and most effective mitigation is to apply all available patches and updates from Fortinet for FortiClient EMS. Organizations should verify their FortiClient EMS version and ensure it is up-to-date. If patching is not immediately feasible, consult Fortinet’s official advisories for any temporary workarounds or compensating controls.

Key Recommendations:

• Patch Immediately: Apply all vendor-provided security patches for FortiClient EMS to resolve CVE-2026-35616. This is the single most critical step to prevent exploitation.
• Network Segmentation: Isolate FortiClient EMS servers on dedicated network segments to limit potential lateral movement in case of a compromise.
• Strong Authentication: Enforce multi-factor authentication (MFA) for all administrative accounts accessing FortiClient EMS.
• Endpoint Monitoring: Implement and tune EDR solutions on all managed endpoints to detect and respond to suspicious processes, file activities, and network connections indicative of the EKZ infostealer or other malware.
• Log Analysis: Centralize and analyze logs from FortiClient EMS, endpoints, and network devices using a SIEM. Look for failed login attempts, unusual administrative actions, or outbound connections to unknown C2 infrastructure.
• Incident Response Plan: Ensure your organization has a well-defined incident response plan to handle potential breaches, including steps for containment, eradication, and recovery. Regularly review and test this plan.
• Employee Training: Educate employees about the risks of credential theft and phishing, as infostealers often precede or complement such attacks.

By proactively addressing the FortiClient EMS authentication bypass mitigation and enhancing detection capabilities, organizations can significantly reduce their attack surface and strengthen their overall security posture against this and similar threats. Regular security audits and adherence to a Zero Trust architecture can further bolster defenses against sophisticated attacks.