Live Latest activity →
Critical Vulnerability

Threat Actors Exploit Critical FortiClient EMS Flaw to

By

Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. [...]

What Happened

Threat actors are actively exploiting a critical authentication bypass vulnerability in FortiClient Enterprise Management Server (EMS), tracked as CVE-2026-35616, to deploy an undocumented credential-stealing malware variant named EKZ. The campaign, which shares infrastructure overlaps with the Conti ransomware group, leverages unpatched EMS instances to bypass authentication and gain administrative control, allowing attackers to push the infostealer to managed endpoints.

Fortinet released a security update for CVE-2026-35616 in a previous advisory, but a significant number of EMS deployments remain unpatched. Security researchers from multiple firms have confirmed active exploitation in the wild, with observed payload delivery beginning in early April 2026.

Why It Matters

FortiClient EMS is a centralized management platform used by medium-to-large enterprises to manage endpoint security policies, VPN configurations, and compliance. A successful exploitation grants attackers full administrative rights over the EMS server, enabling them to:

  • Deploy arbitrary malware to all managed endpoints simultaneously
  • Harvest stored credentials and session tokens from the EMS database
  • Establish persistent access to the organization’s endpoint management infrastructure

The EKZ credential stealer captures browser-stored passwords, VPN credentials, and authentication tokens from managed machines. This intelligence could facilitate lateral movement, privilege escalation, or follow-on ransomware deployment. Given the infrastructure links to Conti, organizations face an elevated risk of extortion-level incidents.

Technical Details

CVE-2026-35616 is an authentication bypass vulnerability in the EMS web interface that allows an unauthenticated attacker to send specially crafted HTTP requests to access administrative APIs. The flaw affects FortiClient EMS versions 7.2.x through 7.4.x prior to the patched releases.

The attack chain observed in this campaign:

  1. Initial Access: Attacker scans for exposed FortiClient EMS management interfaces (typically ports 443 or 8443)
  2. Exploitation: Sends crafted requests to bypass authentication and access the administrative API
  3. Payload Delivery: Deploys the EKZ credential stealer via EMS software distribution functionality
  4. Data Exfiltration: Stolen credentials are sent to command-and-control servers with observed overlap with Conti infrastructure

Indicators of compromise include unexpected EMS admin account creation, abnormal software deployment jobs, and outbound connections to IP ranges previously associated with Conti operations.

Immediate Risk

The risk is assessed as critical. Organizations running unpatched FortiClient EMS versions should treat this as an active, ongoing threat. The combination of publicly available exploit code, demonstrated in-the-wild exploitation, and link to a sophisticated threat actor makes this a high-priority remediation.

Compromised EMS servers can be used as a launch point for ransomware deployment, given the attacker’s ability to push arbitrary payloads to managed endpoints. Any organization that has not applied the FortiClient EMS patch should assume they may have been compromised.

Security Insight

This campaign demonstrates the convergence of initial access brokers and ransomware groups into a shared exploit marketplace. The EKZ stealer itself is not technically sophisticated, but the delivery mechanism — weaponizing a legitimate enterprise management tool — represents a critical evolution in attack methodology. Defenders should treat enterprise management consoles (EMS, SCCM, JAMF) as tier-zero assets and require them to undergo the same rigorous patching cadence as domain controllers. Additionally, consider segmenting EMS management interfaces to internal-only access and enabling multi-factor authentication even for management console logins. The same pattern was observed in the FortiSandbox unauthenticated command injection vulnerability (CVE-2026-39808) where management interfaces became the attack vector of choice for initial access.

Further Reading

Share:

Never miss a security update

Get real-time security alerts delivered to your preferred platform.

Telegram LinkedIn Mastodon Bluesky

Related News

Medium Mar 3
CyberStrikeAI tool adopted by hackers for AI-powered attacks

Researchers warn that a newly identified open-source AI security testing platform called CyberStrikeAI was used by the same threat actor behind a recent campaign that breached hundreds of Fortinet For
High Mar 24
Hackers Use Fake Resumes to Steal Enterprise Credentials and Deploy Crypto Miner

The TeamPCP hacking group continues its supply-chain rampage, now compromising the massively popular 'LiteLLM' Python package on PyPI and claiming to have stolen data from hundreds of thousands of dev
Medium May 26
CISA Announces Revised Town Hall Schedule to Engage with Stakeholders on Cyber Incident Reporting for Critical Infrastructure

Critical May 22
CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog,

Related Across Yazoul

Advisory critical 2026-04-04
FortiClientEMS unauthenticated RCE (CVE-2026-35616) [PoC]

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.