FortiClient Code Execution Vulnerability Exploited to Deploy EKZ Malware

A sophisticated new exploitation campaign is leveraging a critical vulnerability in FortiClient Endpoint Management Server (EMS) to deploy a previously unknown credential-stealing malware dubbed “EKZ.” This campaign highlights a dangerous trend where threat actors weaponize trusted administrative infrastructure, turning the very tools designed to secure networks into vectors for compromise. Security teams and IT professionals reliant on FortiClient EMS must act swiftly to understand and mitigate this emerging threat.

The FortiClient EMS Vulnerability: CVE-2026-35616

At the core of this attack is CVE-2026-35616, an improper access control vulnerability within FortiClient EMS. Arctic Wolf researchers identified this flaw in May 2026, noting that it allows unauthenticated threat actors to achieve code execution. The implications are severe: an attacker exploiting this vulnerability can gain control over a FortiClient EMS instance without needing valid credentials. This effectively bypasses a fundamental security layer, enabling the deployment of malicious payloads across all managed endpoints.

The use of such a critical vulnerability in an endpoint management solution is particularly insidious because EMS platforms typically have extensive privileges and access across an organization’s network. Compromising EMS grants attackers a strategic foothold, allowing them to distribute malware discreetly to numerous machines, often bypassing perimeter defenses and traditional endpoint security measures.

The EKZ Malware: A New Credential Stealer

Once attackers exploit CVE-2026-35616, they deploy the EKZ malware. While specific details on EKZ are still emerging, it has been identified as a credential stealer. Credential stealers are designed to harvest sensitive authentication information, such as usernames, passwords, and other access tokens, from compromised systems. This stolen data can then be used for lateral movement within the network, privilege escalation, or exfiltration to facilitate further attacks, including ransomware deployment or corporate espionage.

The silent deployment mechanism, leveraging the trusted EMS infrastructure, makes EKZ particularly dangerous. Endpoints would likely receive the malware as if it were a legitimate update or configuration file from the EMS, making detection by standard security tools more challenging in the initial stages of infection.

Impact on Enterprise Endpoints

The impact of this campaign on enterprise endpoints is significant. A compromised FortiClient EMS means that every endpoint managed by that server is potentially at risk. Key concerns include:

• Widespread Infection: Attackers can push EKZ to hundreds or thousands of endpoints simultaneously.
• Credential Theft: Financial data, intellectual property, and sensitive company information are all at risk if attackers gain access to legitimate user credentials.
• Lateral Movement: Stolen credentials enable attackers to move undetected throughout the network, accessing servers, databases, and critical systems.
• Persistent Access: Compromising an EMS provides a persistent backdoor into the network, even if individual endpoints are remediated.
• Data Exfiltration: With system access, attackers can exfiltrate valuable data without triggering alarms.

Remediation Actions and Mitigation Strategies

Immediate action is crucial for organizations utilizing FortiClient EMS. Here are the essential steps:

• Patch Immediately: Apply all available security updates and patches for FortiClient EMS, especially those addressing CVE-2026-35616. Fortinet’s official security advisories should be the primary source for update information.
• Network Segmentation: Isolate FortiClient EMS servers from general network access where possible. Restrict communication to only necessary endpoints and services.
• Strong Authentication: Implement multi-factor authentication (MFA) for all administrative access to FortiClient EMS.
• Least Privilege: Ensure that FortiClient EMS runs with the minimum necessary privileges required for its operation.
• Endpoint Monitoring: Enhance endpoint detection and response (EDR) capabilities to monitor for unusual process execution, network connections, and file modifications that could indicate EKZ activity.
• Regular Backups: Maintain frequent, air-gapped backups of critical systems and data to facilitate recovery in the event of a successful attack.
• Security Audits: Conduct regular security audits and penetration tests on your FortiClient EMS deployments and managed endpoints.
• Threat Hunting: Proactively search for indicators of compromise (IOCs) related to this campaign, particularly on EMS servers and high-value endpoints.

Detection and Analysis Tools

Effective detection and analysis are paramount to identifying and responding to this threat. The following tools can assist security teams:

Tool Name	Purpose	Link
FortiClient EMS Logs	Review EMS logs for unusual activity, unauthorized access attempts, or unknown deployments.	Official Fortinet Documentation
Endpoint Detection and Response (EDR) Solutions	Monitor endpoint processes, file activity, and network connections for EKZ malware behavior.	(Varies by vendor, e.g., CrowdStrike, SentinelOne, Microsoft Defender for Endpoint)
Network Intrusion Detection Systems (NIDS)	Identify suspicious traffic patterns, command-and-control communications, or data exfiltration from managed endpoints.	(Varies by vendor, e.g., Snort, Suricata)
Security Information and Event Management (SIEM)	Consolidate logs from EMS, EDR, and NIDS for centralized analysis and alert correlation.	(Varies by vendor, e.g., Splunk, QRadar, Elastic Security)
Vulnerability Scanners	Periodically scan FortiClient EMS instances for known vulnerabilities, including CVE-2026-35616.	(Varies by vendor, e.g., Nessus, Qualys, OpenVAS)

Conclusion

The exploitation of CVE-2026-35616 in FortiClient EMS to deploy EKZ malware represents a significant threat to enterprise cybersecurity. The attack’s methodology—leveraging trusted administrative infrastructure for silent, widespread malware delivery—underscores the need for robust security postures, meticulous patching, and enhanced monitoring. Organizations must prioritize applying updates for FortiClient EMS, implementing stringent access controls, and actively hunting for indicators of compromise to protect their networks from this sophisticated credential stealer.