FortiClient EMS Abuse Turns Endpoint Management Into a Malware Delivery Channel

Overview

A newly observed campaign targeting FortiClient Endpoint Management Server (EMS) shows how trusted administrative infrastructure can be turned into a malware delivery channel.

The activity is linked to CVE-2026-35616, an improper access control vulnerability in FortiClient EMS that allows an unauthenticated attacker to send unauthorized requests and execute code or commands on affected systems. Fortinet has confirmed exploitation in the wild and has released hotfixes for vulnerable FortiClient EMS versions 7.4.5 and 7.4.6.

According to Arctic Wolf, attackers used compromised EMS access to modify FortiClient configuration and silently deploy a previously undocumented credential stealer, tracked as EKZ Infostealer, to managed endpoints.

What Happened

FortiClient EMS is designed to centrally manage endpoint configurations, security policies, and remote access profiles across enterprise devices. In this campaign, attackers abused that trusted management position after gaining access through CVE-2026-35616.

The observed attack chain included:

• bypassing EMS API authentication
• modifying Remote Access Profile and endpoint policy settings
• adding malicious connection scripts
• triggering script execution through FortiClient VPN connection behavior
• downloading and executing a fake endpoint patch named FortiEndpoint_Patch.exe

The payload was not a legitimate Fortinet update. It was a credential-stealing malware designed to collect sensitive data from infected systems. Arctic Wolf identified the malware as EKZ Infostealer.

How the Attack Works

The attackers used a legitimate FortiClient EMS feature intended to run scripts when VPN tunnels are established.

When a managed endpoint connected through an IPsec tunnel, FortiClient processes such as fortitray.exe or ipsec.exe launched command scripts from a standard FortiClient logging path. Those scripts then executed a PowerShell payload, downloaded the malicious executable, and sent output back to attacker-controlled infrastructure.

The reported process chain was:

fortitray.exe / ipsec.exe → cmd.exe → powershell.exe → FortiEndpoint_Patch.exe

This is important because the malicious activity originated from a trusted management workflow. To the environment, the execution path could appear related to normal endpoint administration unless detailed process monitoring and configuration auditing were in place.

What EKZ Infostealer Targets

EKZ Infostealer is designed to collect browser and session data from affected Windows endpoints.

According to the technical reporting, the malware targets:

• saved browser passwords
• session cookies
• autofill data
• credit card information stored in browsers
• data from Chromium-based browsers such as Chrome and Edge
• data from Firefox-family browsers and Thunderbird

Stolen session cookies are especially dangerous because they can allow account takeover even when multi-factor authentication is enabled. If an attacker obtains a valid session, the account may already appear authenticated from the service provider’s perspective.

Why This Matters

This campaign is significant because it turns an endpoint management platform into a distribution mechanism.

The risk is not limited to one compromised machine. If EMS is abused, attackers can potentially reach many managed devices at once.

For enterprise environments, this creates several risks:

• fleet-wide malware deployment
• credential theft across managed endpoints
• session hijacking
• unauthorized policy changes
• persistence through trusted administrative tooling
• reduced visibility if the activity is mistaken for normal management behavior

This is why FortiClient EMS exposure should be treated as a high-priority security issue, not as a routine application patch.

Recommended Actions

Organizations using FortiClient EMS should verify exposure and apply available Fortinet hotfixes immediately. Fortinet states that version 7.4.7 is expected to include the full fix, while hotfixes are available for vulnerable 7.4.5 and 7.4.6 installations.

Priority actions include:

• apply the relevant Fortinet hotfix or upgrade as soon as a fixed version is available
• restrict EMS management access to trusted IP ranges only
• review Remote Access Profiles for unauthorized scripts
• audit VPN connection scripts and endpoint policies
• look for suspicious command files in FortiClient script paths
• monitor for unusual fortitray.exe, ipsec.exe, cmd.exe, and powershell.exe process chains
• rotate credentials and invalidate sessions on affected endpoints if compromise is suspected

DIAMATIX Perspective

This case shows why management platforms must be treated as critical infrastructure.

Endpoint management tools are trusted by design. They can deploy policies, execute scripts, change configurations, and interact with a large number of devices. When attackers gain control over such a system, the management layer itself becomes the delivery mechanism.

The main lesson is not only to patch the vulnerability. It is to verify whether trusted administrative workflows have already been abused.

Detection should include:

• configuration change monitoring
• administrative action review
• endpoint process chain correlation
• session and credential misuse detection
• visibility across managed endpoint behavior

Trusted infrastructure needs the same continuous monitoring as exposed applications.

CISO Analysis

From a CISO perspective, this is an identity and control-plane risk, not only an endpoint malware issue.

The key questions are:

• Is FortiClient EMS exposed to the internet or accessible from broad networks?
• Who can modify endpoint policies and remote access profiles?
• Are changes to VPN connection scripts reviewed and logged?
• Can the SOC detect endpoint execution initiated by management tooling?
• Are browser credentials and session cookies treated as high-value assets during incident response?

This campaign also reinforces the importance of separating administrative access, limiting management interfaces, and monitoring tools that are capable of fleet-wide change.

What This Means for Your Environment

• This type of attack relies on abusing trusted endpoint management infrastructure rather than deploying malware directly to each device.
• Detection depends on visibility into EMS configuration changes, management-initiated script execution, and unusual endpoint process chains.
• Response requires patching, configuration review, credential rotation, and validation of whether managed devices were already exposed.

Could your environment detect malicious script deployment through a trusted endpoint management platform?

Do you have visibility into endpoint activity initiated by administrative tooling?

See how this type of management-layer abuse is investigated and handled in real operational environments.

Contact DIAMATIX
Trusted · Innovative · Vigilant

Sources

• Fortinet PSIRT. CVE-2026-35616 advisory.
• NVD. CVE-2026-35616 record.
• Arctic Wolf. FortiClient EMS exploitation and EKZ Infostealer analysis.
• watchTowr Labs. FortiClient EMS exploitation observations.

This article is based on publicly available technical and threat intelligence information as of May 2026.