Endpoint management platforms are supposed to reduce operational risk. When they are exposed or weakly controlled, they can become one of the fastest ways for an attacker to reach every managed machine.
Arctic Wolf reported a May 2026 campaign where attackers exploited CVE-2026-35616, an improper access control vulnerability in FortiClient Enterprise Management Server (EMS), to modify managed configuration and deliver a credential stealer disguised as a Fortinet endpoint patch. The payload, tracked by Arctic Wolf as EKZ Infostealer, targets browser credentials, cookies, saved passwords, and autofill data across Chromium- and Firefox-family browsers.
Original reporting: Arctic Wolf: FortiClient EMS exploited via CVE-2026-35616 to deliver EKZ Infostealer.
What happened
FortiClient EMS centrally manages FortiClient endpoint configuration, including VPN-related profiles. According to Arctic Wolf, exploitation allowed unauthenticated actors to send privileged API requests to affected EMS deployments. After gaining that management-plane control, the attackers changed configuration in ways that caused managed endpoints to execute malicious PowerShell through FortiClient-managed VPN scripting workflows.
The observed chain is especially concerning because it did not require a separate intrusion path to each workstation. Once the management system was abused, the attacker could ride the same trusted administrative mechanism that organizations use for legitimate endpoint operations.
Why this matters for SMBs and government contractors
This is not just another edge-device vulnerability. It is a reminder that management infrastructure is tier-zero infrastructure. If endpoint management, VPN management, RMM, MDM, or firewall management systems are internet-exposed and insufficiently restricted, compromise can quickly turn into fleet-wide execution.
The credential-theft angle also raises the impact. Browser cookies and saved credentials can give attackers follow-on access to cloud portals, SaaS tools, contractor systems, internal apps, and email accounts. In some cases, stolen session cookies can reduce the value of MFA because the attacker is not replaying a password prompt; they are attempting to reuse an already-authenticated session.
Defensive takeaways
- Patch FortiClient EMS immediately if your environment is running an affected version. Treat this as urgent where EMS is internet-accessible.
- Restrict EMS management access to trusted administrative networks or VPN-only paths. Do not leave management ports broadly reachable.
- Hunt EMS logs for certificate-authentication anomalies, unexpected accounts, unfamiliar logins, Tor/VPS source IPs, and Remote Access Profile changes.
- Review VPN profile scripting for unapproved
on_connector script directives, especially changes made shortly before endpoint PowerShell activity. - Inspect endpoint process trees where
fortitray.exeoripsec.exelaunchescmd.exe, which then launches encoded or hidden PowerShell. - Look for credential staging such as suspicious executables or
log.txtartifacts underC:\ProgramData, followed by raw-IP HTTP POST activity. - Rotate credentials and revoke sessions if compromise is suspected. Password resets alone are not enough if active browser sessions or tokens were stolen.
Bulwark Black assessment
The key lesson is control-plane hardening. Security teams often prioritize the endpoint agent and forget the server that tells every endpoint what to do. That server deserves the same treatment as identity infrastructure: limited exposure, strong administrative controls, logging, change monitoring, and rapid patching.
For smaller organizations and contractors, the practical move is to make a quick inventory of management systems that can execute code across endpoints. If a platform can push scripts, install software, change VPN behavior, or alter endpoint policy, it should be on the short list for access restriction, backup review, and alerting.
Attackers are not only targeting individual laptops anymore. They are targeting the tools administrators use to manage those laptops. Defend the control plane first.
