New infostealer reaches enterprise devices through FortiClient EMS vulnerability

Attackers exploited CVE-2026-35616 in FortiClient Enterprise Management Server to bypass API authentication and deliver a malicious FortiClient-managed update (FortiEndpoint_Patch.exe) that installs the EKZ Infostealer on endpoints; the infostealer harvests cookies, credentials and autofill data from Chromium- and Gecko-based browsers. Arctic Wolf observed the campaign in May 2026, recovered additional malicious samples from the threat actor’s server, shared IOCs, and advised organizations to check EMS logs, investigate suspicious accounts/configuration changes, and remediate by rotating credentials, revoking sessions, and taking recovery actions (e.g., reissuing payment cards if needed).