Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ekz-stealer (1 article)Clear

FortiClient EMS CVE-2026-35616 actively exploited to deploy EKZ infostealer - disguised as endpoint update via VPN scripting

Arctic Wolf has observed active exploitation of CVE-2026-35616, an authentication-bypass flaw in FortiClient Enterprise Management Server (EMS), to deliver an undocumented credential stealer called EKZ. Attackers abuse the endpoint APIs to perform administrative actions without authentication, then modify EMS configuration and VPN policies to inject malicious scripts. Seconds after endpoints establish an IPsec tunnel to a Fortinet-managed gateway, EKZ is pushed disguised as an endpoint update via VPN scripting workflows. Fortinet released emergency hotfixes for versions 7.4.5 and 7.4.6 in early April and CISA ordered federal agencies to patch the same week; Shadowserver tracked 2,000 internet-exposed EMS instances at the time.

Check
Inventory FortiClient EMS deployments and confirm patch level. Search for unauthorized EMS configuration or VPN policy changes since early April. Look for EKZ stealer behavior on endpoints.
Affected
FortiClient EMS versions before the 7.4.5 and 7.4.6 hotfixes. Internet-exposed instances are at highest risk; Shadowserver counted 2,000 exposed in April when CISA mandated federal patching.
Fix
Apply the Fortinet hotfixes. Audit EMS admin actions and VPN policy modifications since April. Rotate credentials and certificates that EMS managed. Apply Arctic Wolf EKZ IoCs.