If your business runs Fortinet's VPN and endpoint software — and a lot of small businesses do, because their managed IT provider deploys it — there's a fresh attack you need to know about. Researchers caught hackers using a critical flaw in FortiClient Enterprise Management Server (EMS) to push malware to every PC that server manages, disguised as a routine Fortinet patch. The payload silently scrapes saved passwords, credit card data, and login cookies from Chrome, Edge, and Firefox.
What happened
Security firm Arctic Wolf disclosed last week that attackers are abusing a known FortiClient EMS vulnerability tracked as CVE-2026-35616 to deliver a previously unseen credential stealer the researchers named EKZ Infostealer. The flaw carries a CVSS score of 9.1 and lets an unauthenticated attacker bypass API authentication and send privileged requests to FortiClient EMS — the central console IT teams use to manage every Fortinet-protected endpoint in a network.
Once inside the EMS console, the attackers don't drop malware directly. Instead, they modify the Remote Access Profile and endpoint policy so that the next time a managed PC connects to the company VPN, FortiClient's own legitimate process (fortitray.exe) launches a malicious batch script. That script runs a base64-encoded PowerShell command, downloads a file named FortiEndpoint_Patch.exe, and runs it — making the malware look like a normal Fortinet update pushed by IT.
The payload, EKZ Infostealer, pulls saved passwords, session cookies, autofill data, and credit card numbers from Chromium-based browsers (Chrome, Edge) and Firefox-based browsers, including bypass techniques against Chrome's encrypted password storage. The stolen data is written to a log file and exfiltrated over HTTP to an attacker-controlled server.
Why this matters for small businesses
FortiClient EMS is squarely an SMB and mid-market product. It's the kind of console an MSP runs to push VPN configs and endpoint policy to every laptop a small business owns. That's exactly what makes this attack dangerous: a single compromised EMS server translates into fleet-wide malware delivery across every managed device, and the malware arrives via the same trusted pipe IT uses to push real updates.
The vulnerability is not new — Fortinet released hotfixes in early April after confirming zero-day exploitation, and CISA added it to the Known Exploited Vulnerabilities catalog at that time. The fix is in FortiClient EMS 7.4.7 and later. What's new is that attackers are still finding unpatched instances a month later and using them to harvest credentials at scale. Shadowserver reported roughly 2,000 internet-exposed EMS instances when the flaw first surfaced.
Session cookies are the real prize here. Stolen cookies let attackers log into Microsoft 365, QuickBooks Online, or your bank without needing the password — and without tripping multi-factor authentication.
What your managed-IT provider should be doing right now
If your MSP uses Fortinet, ask them three specific questions this week:
1. "Are we running FortiClient EMS 7.4.7 or later?" Anything earlier is vulnerable. The patch has been available since April.
2. "Is our EMS management port (8013) restricted to trusted IPs, or is it reachable from the open internet?" Locking down management interfaces is basic hygiene that should already be in place.
3. "Have you audited the Remote Access Profile and on-connect scripts in EMS for anything unexpected?" The Arctic Wolf write-up specifically calls out reviewing those configs for unauthorized script entries, plus log files in C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts\ for suspicious GUID-named .cmd files.
If the answers aren't crisp, treat saved browser credentials and session cookies on every managed endpoint as potentially compromised. That means forced password rotation and session invalidation across business-critical SaaS — email, accounting, banking, CRM.
What York Businesses Should Do
York County small businesses running Fortinet through an outside IT provider should email their MSP this week and get a written confirmation that FortiClient EMS is patched to 7.4.7+ and that the management interface isn't exposed. If you don't have a provider keeping current on KEV-listed vulnerabilities within days of release, that's the gap York Computer fills.
Sources
- FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch — Arctic Wolf
- Hackers exploit FortiClient EMS flaw to push infostealer malware — BleepingComputer
- Critical FortiClient EMS Vulnerability Exploited in Fresh Attacks — SecurityWeek
- New infostealer reaches enterprise devices through FortiClient EMS vulnerability — Help Net Security