Hackers are exploiting CVE-2026-35616 in FortiClient Enterprise Management Server (EMS) to deploy the EKZ credential stealer by abusing FortiClient VPN scripting workflows and disguising the payload as a Fortinet update. Arctic Wolf and Fortinet report that the attack uses unauthenticated endpoint API abuse, malicious PowerShell execution, and data exfiltration from affected endpoints. #CVE-2026-35616 #FortiClientEMS #EKZ #Fortinet #ArcticWolf #CISA
Keypoints
- Attackers are exploiting CVE-2026-35616 in FortiClient EMS to gain unauthenticated remote code execution.
- The malware is delivered as EKZ, an undocumented credential stealer disguised as a Fortinet endpoint update.
- The intrusion abuses endpoint APIs and FortiClient-managed VPN scripting to run malicious PowerShell commands.
- EKZ targets Chromium and Firefox browsers to steal credentials, cookies, and payment data.
- Defenders should watch for certificate-authentication anomalies and unexpected Remote Access Profile changes.