A serious security flaw in FortiClient Enterprise Management Server (EMS) is being actively exploited by hackers to deploy the EKZ Infostealer malware. The vulnerability, identified as CVE-2026-35616, allows attackers to bypass authentication and execute arbitrary code. This flaw has been used to disguise the malware as a legitimate Fortinet update, which is then delivered through VPN scripting workflows managed by FortiClient. Fortinet confirmed the exploit in early April and provided emergency hotfixes for versions 7.4.5 and 7.4.6 of the software.

Cybersecurity firm Arctic Wolf reported observing attacks that leverage this vulnerability to deliver the EKZ Infostealer. The attack initiates by exploiting endpoint APIs to perform administrative actions without authentication. Subsequent steps involve altering EMS configurations and VPN policies to execute malicious scripts. Once endpoints establish an IPsec tunnel to a FortiGate firewall, malicious scripts are launched, downloading the malware disguised as a Fortinet patch. This malware then exfiltrates sensitive data to an attacker-controlled server.

The EKZ Infostealer targets information such as credentials, credit card details, addresses, phone numbers, and cookies. It is capable of bypassing encrypted password protections in both Chromium-based and Firefox web browsers. Arctic Wolf indicates that one sign of an attack is the presence of a specific error in logs, which is quickly followed by an unauthorized certificate update.

Federal agencies were instructed by CISA to secure their systems promptly, and The Shadowserver Foundation reported seeing 2,000 vulnerable EMS instances online. Arctic Wolf's report provides detection guidance and recommends monitoring for certificate-authentication anomalies and unexpected changes in Remote Access Profile configurations as indicators of compromise. Suspicious administrative activities, including unfamiliar logins or configuration changes, should be treated as warning signs of potential attacks.