Full Report
Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. [...]
Analysis Summary
# Vulnerability: Authentication Bypass in FortiClient EMS Leading to EKZ Malware
## CVE Details
- **CVE ID:** CVE-2026-35616
- **CVSS Score:** Critical (Numerical score not specified in text, but categorized as critical improper access control)
- **CWE:** Improper Access Control / Authentication Bypass
## Affected Systems
- **Products:** FortiClient Enterprise Management Server (EMS)
- **Versions:** Impacting versions prior to 7.4.5 and 7.4.6.
- **Configurations:** Internet-exposed EMS instances; specifically those with endpoint APIs accessible to unauthenticated remote actors.
## Vulnerability Description
The flaw is an improper access control vulnerability that allows an unauthenticated remote attacker to perform administrative actions via specially crafted requests to the endpoint APIs. In observed attacks, this bypass is used to modify EMS configurations and VPN policies. By altering these policies, attackers can inject malicious scripts into VPN scripting workflows, which are then automatically pushed to and executed by connected endpoints.
## Exploitation
- **Status:** exploited in the wild
- **Complexity:** Not explicitly stated, though it involves multi-stage command execution.
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Extraction of browser credentials, credit cards, cookies, and MFA-protected session data)
- **Integrity:** High (Modification of EMS configurations and VPN security policies)
- **Availability:** High (Ability to execute arbitrary code/commands on managed endpoints)
## Remediation
### Patches
- **FortiClient EMS 7.4.5:** Released as an emergency hotfix.
- **FortiClient EMS 7.4.6:** Released as an emergency hotfix.
### Workarounds
- Ensure EMS instances are not unnecessarily exposed to the public internet.
- Restrict access to administrative APIs to trusted IP addresses only.
## Detection
- **Log Indicators:**
- Look for the log entry: `"Certificate not found in request header."`
- Monitor for subsequent entries indicating certificate updates: `"Certificate user: fortinet-ca2 … successfully updated"`
- **Behavioral Indicators:**
- Unexpected changes to Remote Access Profile configurations.
- `fortitray.exe` launching `cmd.exe` or PowerShell scripts unexpectedly.
- Base64-encoded PowerShell payloads downloading files from external VPS.
- **Anomalies:** New administrative accounts or logins originating from Tor or unfamiliar VPS IP addresses.
## References
- Fortinet Advisory: hxxps[://]www[.]bleepingcomputer[.]com/news/security/new-fortinet-forticlient-ems-flaw-cve-2026-35616-exploited-in-attacks/
- CISA Action Order: hxxps[://]www[.]bleepingcomputer[.]com/news/security/cisa-orders-feds-to-patch-fortinet-flaw-exploited-in-attacks-by-friday/
- Arctic Wolf Research: (Reference inferred from article text)