FortiClient EMS exploit drops infostealer on enterprises
Key insights
- CVE-2026-35616 (CVSS 9.1) lets unauthenticated attackers rewrite endpoint policies across all FortiClient EMS-managed devices simultaneously.
- EKZ Infostealer bypasses Chrome's built-in encryption to harvest saved passwords, session cookies, and autofill data at scale.
- Any organization running an internet-facing FortiClient EMS below version 7.4.7 should treat all managed endpoint credentials as compromised.
Why this matters
FortiClient EMS serves as the centralized policy backbone for enterprise endpoint security fleets, meaning a single compromised server can silently rewrite security controls across thousands of devices without triggering individual endpoint alerts. EKZ Infostealer's Chrome encryption bypass targets the exact credential stores that enterprise engineers use for cloud platforms, SaaS tools, and internal APIs, giving attackers direct access to OAuth tokens and API keys alongside passwords. For technical leaders running AI infrastructure or cloud-native platforms, this attack class represents a realistic path from a single unpatched management server to full credential compromise across every developer and operations endpoint in the organization.
Summary
FortiClient EMS is under active exploit, with attackers using CVE-2026-35616 to push credential-stealing malware to every managed endpoint in target networks.
Arctic Wolf documented the campaign. CVE-2026-35616 is a CVSS 9.1 unauthenticated API bypass in FortiClient EMS below version 7.4.7. Attackers gain server access, rewrite all endpoint policies, then push a binary disguised as a legitimate Fortinet patch update.
Essentially: (Arctic Wolf, Fortinet) a management-plane takeover that silently compromises every managed endpoint at once.
- EKZ Infostealer extracts Chrome and Firefox passwords, session cookies, and autofill data using Chrome encryption bypass techniques.
- Exfiltration runs on a scheduled timer-based channel, limiting real-time detection signals.
- Organizations running an internet-facing EMS below 7.4.7 should treat all managed-endpoint credentials as fully compromised.
Blast radius scales directly with fleet size, which puts large enterprises at the highest risk.
Potential risks and opportunities
Risks
- Organizations with internet-facing FortiClient EMS below 7.4.7 that delay patching face full credential compromise across all managed endpoints, including VPN and cloud service accounts.
- Enterprises using FortiClient for zero-trust network access could face lateral movement attacks using stolen session cookies before affected credentials are rotated.
- Harvested enterprise credentials could surface on dark-web markets within 30 to 60 days if EKZ Infostealer's exfiltration infrastructure remains active, enabling secondary attacks by unrelated threat actors.
Opportunities
- EDR vendors (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) can offer FortiClient EMS policy-change monitoring as an immediate upsell to affected enterprise customers.
- Privileged access management vendors (BeyondTrust, CyberArk) gain direct leverage in conversations about replacing browser-stored credential workflows that EKZ specifically targets.
- MSSPs with Fortinet expertise have a narrow window to offer emergency compromise-assessment and credential-rotation services to the large installed base running pre-7.4.7 EMS.
What we don't know yet
- Attribution behind the threat actors exploiting CVE-2026-35616 is unconfirmed, with no nation-state or criminal group named in Arctic Wolf's public reporting.
- Whether Fortinet issued any emergency advisory or out-of-band patch before version 7.4.7, and how long organizations were exposed between CVE discovery and patch availability.
- The specific command-and-control infrastructure behind EKZ Infostealer's scheduled timer-based exfiltration channel has not been publicly identified, leaving defenders without network-level IOCs.
Originally reported by helpnetsecurity.com
Read the original article →Original headline: FortiClient EMS CVE-2026-35616 Actively Exploited to Deploy EKZ Infostealer to All Managed Enterprise Endpoints via Fake Fortinet Patch