ctipilot.ch

FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer via fake Fortinet patch

cve · CVE-2026-35616

Coverage timeline
3
first 2026-05-29 → last 2026-05-29
Briefs
1
1 distinct
Sources cited
13
8 hosts
Sections touched
3
active_threats, deep_dive, immediate_actions
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-29CTI Daily Brief — 2026-05-29
    active_threatsFirst coverage. ITW exploitation via X-SSL-CLIENT-VERIFY header spoof to push EKZ via trusted EMS update channel signed under fortitray.exe. CISA KEV since 2026-04-06. Deep dive § 5.
  2. 2026-05-29CTI Daily Brief — 2026-05-29
    deep_diveDeep dive: header-spoof primitive → privileged management API → Remote Access Profile push → EKZ Infostealer staged as FortiEndpoint_Patch.exe under fortitray.exe parent → browser-profile-write self-copy → nss3.dll credential dump → HTTPS exfil. T1190, T1195.002, T1218, T1555.003, T1071.001, T1041.
  3. 2026-05-29CTI Daily Brief — 2026-05-29
    immediate_actionsAction: upgrade EMS to 7.4.7, strip X-SSL-CLIENT-VERIFY at reverse proxy, rotate browser credentials.

Where this entity is cited

  • active_threats1
  • deep_dive1
  • immediate_actions1

Source distribution

  • attack.mitre.org6 (46%)
  • arcticwolf.com1 (8%)
  • fortiguard.fortinet.com1 (8%)
  • thehackernews.com1 (8%)
  • cisa.gov1 (8%)
  • github.com1 (8%)
  • msrc.microsoft.com1 (8%)
  • nvd.nist.gov1 (8%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (13)

Items in briefs about FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer via fake Fortinet patch (1)

FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer through trusted endpoint-management channel

From CTI Daily Brief — 2026-05-29 · published 2026-05-29 · view item permalink →

Arctic Wolf Labs published technical evidence on 2026-05-27 of an in-the-wild campaign abusing CVE-2026-35616, the CWE-284 improper-access-control flaw in Fortinet FortiClient EMS 7.4.5 and 7.4.6 (CVSS 9.1; on CISA KEV since 2026-04-06). The vulnerable code path trusts the X-SSL-CLIENT-VERIFY HTTP header set by a fronting reverse proxy or load balancer instead of validating client-certificate state itself; an unauthenticated attacker on the network spoofs the header to reach privileged management APIs. In the observed campaign, attackers modify Remote Access Profile configurations to push a PowerShell payload signed under the trusted fortitray.exe binary that fetches FortiEndpoint_Patch.exe — actually the EKZ Infostealer. EKZ copies itself into Chromium/Gecko browser-profile directories (Chrome, Microsoft Edge, Firefox, LibreWolf, Waterfox, Pale Moon, Thunderbird) to clear elevation-validation checks, then dumps encrypted credential and cookie stores via nss3.dll. Compromise of a single EMS server cascades to every managed endpoint. Patch is FortiClient EMS 7.4.7.

Why it matters to us: FortiClient EMS is widely deployed across Swiss federal and cantonal network-security estates and across EU public-sector networks. Deep-dive treatment in § 5 below.