CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 28, 2026

FortiClient Code Execution Vulnerability Exploited to Deploy EKZ Malware

Cybersecurity News Archived May 28, 2026 ✓ Full text saved

A newly observed exploitation campaign targeting FortiClient Endpoint Management Server (EMS) has weaponized trusted administrative infrastructure to silently deploy a previously unreported credential stealer across managed enterprise endpoints. In May 2026, Arctic Wolf researchers identified a cluster of malicious activity exploiting CVE-2026-35616, an improper access control vulnerability in FortiClient EMS. The flaw allows unauthenticated threat […] The post FortiClient Code Execution Vulnera

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Attack News FortiClient Code Execution Vulnerability Exploited to Deploy EKZ Malware By Guru Baran May 28, 2026 A newly observed exploitation campaign targeting FortiClient Endpoint Management Server (EMS) has weaponized trusted administrative infrastructure to silently deploy a previously unreported credential stealer across managed enterprise endpoints. In May 2026, Arctic Wolf researchers identified a cluster of malicious activity exploiting CVE-2026-35616, an improper access control vulnerability in FortiClient EMS. The flaw allows unauthenticated threat actors to bypass API authentication and send privileged requests to affected deployments, effectively granting administrative control without valid credentials. Attackers Abused FortiClient’s Own Infrastructure Once threat actors gained access to the EMS configuration, they modified the Remote Access Profile and endpoint policy to inject malicious scripts targeting all managed devices. FortiClient EMS supports script execution upon VPN tunnel establishment using on_connect directives, a legitimate feature that the attackers weaponized entirely. When affected endpoints are connected via an IPsec tunnel, fortitray.exe launched .cmd script files with GUID-based filenames stored within FortiClient’s standard VPN logging path: C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts\{GUID}.cmd These scripts decoded and executed a base64-encoded PowerShell payload that downloaded the malicious executable, ran it silently, waited 90 seconds, and exfiltrated output via HTTP POST to a threat-actor-controlled VPS at 83[.]138.53[.]110. The observed process lineage was: fortitray.exe or ipsec.exe → cmd.exe → powershell.exe → FortiEndpoint_Patch.exe Initial exploitation was also linked to login events from multiple Tor exit node IPs, including 185[.]220.101.15 and 192[.]42.116.14, within hours of the API authentication bypass. EKZ Infostealer – Credential Harvesting Tool The downloaded payload, disguised as FortiEndpoint_Patch.exeIt is a MinGW-compiled Windows binary Arctic Wolf, designated as EKZ Infostealer, named after internal symbol strings extracted from decrypted code. This tool was first observed in May 2026 and had not been previously documented. EKZ targets both Chromium-family browsers (Chrome, Edge) and Gecko-family browsers (Firefox, LibreWolf, Thunderbird). For Chromium browsers, it locates installations via the registry, copies itself into the browser’s Application\ directory to pass Elevation Service path validation, and calls IElevator::DecryptData to obtain the v20 AES-256 master key before decrypting credential databases. For Firefox, it dynamically loads nss3.dll and extracts data from key4.db, logins.json, and cookies.sqlite. Harvested data, including saved passwords, session cookies, and autofill entries like credit card details, is written to a log.txt in ProgramData, then exfiltrated on a timed schedule. The stolen session cookies are particularly dangerous, as they can enable account takeover even where MFA protections are in place, Arctic Wolf observed. Indicators of Compromise Indicator Type Description 83[.]138.53[.]110 IP Address Threat-actor-controlled C2/payload host 185[.]220.101.15 IP Address Tor exit node used for login 192[.]42.116.14 IP Address Tor exit node used for login 0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e SHA-256 EKZ Infostealer (FortiEndpoint_Patch.exe) FortiEndpoint_Patch.exe / p.exe Filename Malicious credential stealer binary hxxp[:]//83.138.53[.]110/dl/p.exe URL Payload delivery URL Mitigations Patch immediately — Upgrade FortiClient EMS to a fixed version addressing CVE-2026-35616 Restrict management port access — Limit network access to EMS port 8013 to trusted IP ranges only Audit VPN script configurations — Review on_connect and script directives within Remote Access Profiles for unauthorized entries Hunt for IOCs — Search endpoint logs for GUID-named .cmd files in FortiClient’s logs\Trace\scripts\ path and anomalous fortitray.exe process chains Rotate browser credentials — Treat all credentials and session cookies on managed endpoints as potentially compromised Organizations relying on FortiClient EMS should treat this as a high-priority incident response trigger, given that a single EMS compromise translates to fleet-wide exposure across every managed endpoint. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Apple’s New Anti-Snatching Feature Will Auto-Lock iPhones When Stolen From Your Hand Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems Payload Ransomware Uses ChaCha20 and Curve25519 ECDH to Encrypt Windows Files Cybercriminals Use Telegram Channels to Sell Verified Bank and Fintech Mule Accounts Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes Latest News Cyber Security News GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With 300+ Fake Domains Cyber Security News Hackers Use Grandoreiro Malware to Target Portuguese Banks and Latin American Companies Cyber Security News Tycoon 2FA AiTM Kit Bypasses MFA on Entra ID and Google Workspace Accounts Cyber Security News Hackers Use Fake ChatGPT and Claude Installers to Deploy DinDoor Backdoor Cyber Security News Hackers Push 22 Versions of npm RAT With Wallet Theft and Persistent Backdoor
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 28, 2026
    Archived
    May 28, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗