FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch

Description

In May 2026, threat actors exploited CVE-2026-35616, an improper access control vulnerability in FortiClient Endpoint Management Server (EMS), to bypass API authentication and execute privileged requests without credentials. Attackers leveraged trusted endpoint management infrastructure to push malicious PowerShell scripts disguised as legitimate Fortinet patches across managed endpoints. The campaign deployed EKZ Infostealer, a credential-stealing tool targeting Chrome, Firefox, and other browser credentials. The stealer extracts passwords, cookies, and autofill data, staging results locally before exfiltration via HTTP to threat-actor-controlled infrastructure. Threat actors accessed systems through Tor exit nodes, modified VPN configurations to enable script execution, and used FortiClient's own management pathways to distribute payloads fleet-wide without requiring individual endpoint compromises.