Arctic Wolf says attackers abused FortiClient EMS CVE-2026-35616 to turn a trusted endpoint-management path into a malware delivery channel. The payload was presented as a Fortinet endpoint patch, but on managed Windows endpoints it ran as FortiEndpoint_Patch.exe, an EKZ Infostealer build focused on browser passwords, cookies, and autofill data.
The important part is not only the vulnerable EMS server. If an attacker changed FortiClient EMS configuration, every endpoint that receives VPN or endpoint policy from that server may need review. The story is a practical example of why an old FortiClient EMS RCE checklist should include both the management plane and the devices managed by it.
What happened
Fortinet describes CVE-2026-35616 as an improper access-control flaw in FortiClient EMS that can let an unauthenticated attacker execute unauthorized code or commands through crafted requests. Fortinet says exploitation has been observed in the wild and points affected customers to hotfixes for FortiClient EMS 7.4.5 and 7.4.6, with the fix also expected in 7.4.7 or later.
Arctic Wolf’s incident data shows the next step: after EMS access, attackers modified remote-access profile or endpoint policy settings so FortiClient components launched scripts on managed devices. The observed process path was fortitray.exe or ipsec.exe spawning cmd.exe, then PowerShell, then the EKZ payload. That makes this a management-plane compromise with endpoint malware consequences, not a routine single-host infection.
Who is affected
| Environment | Risk and first check |
|---|---|
| FortiClient EMS 7.4.5 or 7.4.6 | Apply Fortinet’s hotfix or upgrade path first. Then review whether the EMS interface was reachable by untrusted networks. |
| Managed endpoints using FortiClient VPN profiles | Look for unexpected scripts under C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts\ and PowerShell launched after VPN/IPsec connection events. |
| Browsers on affected hosts | Assume saved passwords, cookies, and autofill data may be exposed until endpoint review and credential rotation are complete. |
What EKZ Infostealer targets
Arctic Wolf reports that EKZ Infostealer targets Chromium-family browsers, Microsoft Edge, Firefox, and Gecko-family browser stores. It can collect saved passwords, cookies, autofill data, addresses, phone numbers, and credit card autofill records. Session cookies are especially risky because they may let an attacker reuse an already-authenticated session without triggering the normal login flow.
If one of your hosts shows this process chain, do not treat browser password changes as the first step. Clean and isolate the host first, preserve useful logs, then rotate passwords and revoke sessions from a known-clean device. Our general infostealer cleanup order applies here too, even though the delivery path is enterprise management rather than a fake download.
What to check now
- Patch EMS before hunting endpoints. Hotfix FortiClient EMS 7.4.5 and 7.4.6 or move to a fixed branch when available. Limit EMS management access to trusted admin networks only.
- Review EMS logs. Arctic Wolf highlights
Certificate not found in request headerfollowed within seconds by a certificate-user update event as a high-signal pattern. - Audit configuration changes. Check Remote Access Profile, endpoint policy, script, and upgrade-reminder changes made around suspicious login or API activity.
- Hunt managed endpoints. Look for GUID-named
.cmdscripts in FortiClient trace script paths, hidden or base64 PowerShell, and suspicious downloads from raw IP infrastructure. - Contain credential theft. If EKZ execution is suspected, isolate affected hosts, collect logs, scan for malware, revoke browser sessions, rotate passwords, and review cloud/account access from the exposure window.
Gridinsoft Anti-Malware can be used as a second-opinion scan on affected Windows endpoints after containment, especially when PowerShell or a fake patch executable was seen but the original payload has already deleted itself. For PowerShell-specific triage, compare the event with our PowerShell outbound connection checklist.
FAQ
Is CVE-2026-35616 only a FortiClient EMS server problem?
No. The vulnerability starts at FortiClient EMS, but the observed campaign used EMS-managed configuration to run scripts on endpoint devices. Check both the server and managed endpoints.
Which FortiClient EMS versions need action?
Fortinet lists FortiClient EMS 7.4.5 through 7.4.6 as affected and says FortiClient EMS 7.2 is not affected. Follow Fortinet’s current hotfix and upgrade guidance for your deployment.
What file name should defenders look for?
Arctic Wolf observed EKZ Infostealer delivered locally as FortiEndpoint_Patch.exe, with payload delivery also tied to p.exe on attacker infrastructure.
Should users just change passwords?
Not first. If a host may be infected, isolate and clean it before changing passwords. Then rotate passwords, revoke active sessions, and check cloud and browser-account activity from a clean device.
References
- Arctic Wolf Labs. “FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch.” Arctic Wolf, May 27, 2026, accessed May 31, 2026. https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
- Fortinet PSIRT. “API authentication and authorization bypass.” FortiGuard Labs advisory FG-IR-26-099, published April 4, 2026, accessed May 31, 2026. https://fortiguard.fortinet.com/psirt/FG-IR-26-099
