ctipilot.ch

Home · Live brief · Daily brief 2026-05-29

FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer through trusted endpoint-management channel

high threat discovered 2026-05-29 05:00 UTC

Part of run 2026-05-29-c7f56b00 (intel · Claude Opus 4.7)

Arctic Wolf Labs published technical evidence on 2026-05-27 of an in-the-wild campaign abusing CVE-2026-35616, the CWE-284 improper-access-control flaw in Fortinet FortiClient EMS 7.4.5 and 7.4.6 (CVSS 9.1; on CISA KEV since 2026-04-06). The vulnerable code path trusts the X-SSL-CLIENT-VERIFY HTTP header set by a fronting reverse proxy or load balancer instead of validating client-certificate state itself; an unauthenticated attacker on the network spoofs the header to reach privileged management APIs. In the observed campaign, attackers modify Remote Access Profile configurations to push a PowerShell payload signed under the trusted fortitray.exe binary that fetches FortiEndpoint_Patch.exe — actually the EKZ Infostealer. EKZ copies itself into Chromium/Gecko browser-profile directories (Chrome, Microsoft Edge, Firefox, LibreWolf, Waterfox, Pale Moon, Thunderbird) to clear elevation-validation checks, then dumps encrypted credential and cookie stores via nss3.dll. Compromise of a single EMS server cascades to every managed endpoint. Patch is FortiClient EMS 7.4.7.

Why it matters to us: FortiClient EMS is widely deployed across Swiss federal and cantonal network-security estates and across EU public-sector networks. Deep-dive treatment in § 5 below.

“Arctic Wolf Labs published technical evidence on 2026-05-27 of an in-the-wild campaign abusing CVE-2026-35616, the CWE-284 improper-access-control flaw in Fortinet FortiClient EMS 7.4.5 and 7.4.6 (CVSS 9.1; on CISA KEV since 2026-04-06).” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited pre-auth auth-bypass cisa-kev infostealer supply-chain europe switzerland global CVE-2026-35616