FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer through trusted endpoint-management channel

Arctic Wolf Labs published technical evidence on 2026-05-27 of an in-the-wild campaign abusing CVE-2026-35616, the CWE-284 improper-access-control flaw in Fortinet FortiClient EMS 7.4.5 and 7.4.6 (CVSS 9.1; on CISA KEV since 2026-04-06). The vulnerable code path trusts the X-SSL-CLIENT-VERIFY HTTP header set by a fronting reverse proxy or load balancer instead of validating client-certificate state itself; an unauthenticated attacker on the network spoofs the header to reach privileged management APIs. In the observed campaign, attackers modify Remote Access Profile configurations to push a PowerShell payload signed under the trusted fortitray.exe binary that fetches FortiEndpoint_Patch.exe — actually the EKZ Infostealer. EKZ copies itself into Chromium/Gecko browser-profile directories (Chrome, Microsoft Edge, Firefox, LibreWolf, Waterfox, Pale Moon, Thunderbird) to clear elevation-validation checks, then dumps encrypted credential and cookie stores via nss3.dll. Compromise of a single EMS server cascades to every managed endpoint. Patch is FortiClient EMS 7.4.7.

Why it matters to us: FortiClient EMS is widely deployed across Swiss federal and cantonal network-security estates and across EU public-sector networks. Deep-dive treatment in § 5 below.