FortiClient EMS Hack: How Infostealer Attacks Work Now

Emily Davis · 2026-05-28

If you're using FortiClient Enterprise Management Server (EMS), you might want to sit down for this. Hackers are actively exploiting a serious authentication bypass vulnerability—tracked as CVE-2026-35616—to sneak a nasty credential stealer called EKZ onto systems. And it's not just any attack; it's clever, quiet, and designed to grab your most sensitive data without you ever knowing. Let's break this down in plain English. The flaw lives in FortiClient EMS, a tool many businesses rely on to manage endpoint security. The bad news? Attackers can bypass login checks entirely, meaning they don't need a password to get in. Once inside, they deploy EKZ, a custom infostealer that targets saved credentials, browser cookies, and even system passwords. Think of it like a digital pickpocket that works while you're busy running your business. ### How the Attack Works The exploit chain is surprisingly simple for how effective it is. First, hackers scan for vulnerable FortiClient EMS servers exposed to the internet. When they find one, they use the authentication bypass to gain admin-level access without any credentials. From there, they upload a malicious payload disguised as a legitimate update or configuration file. EKZ then runs silently, stealing everything it can before sending it back to a remote server. What makes this particularly dangerous is the stealth factor. EKZ doesn't cause obvious system slowdowns or pop-ups. It blends in, logs your keystrokes, and extracts passwords from browsers like Chrome, Firefox, and Edge. For businesses, this could mean compromised email accounts, cloud services, and even financial platforms. ### Who's at Risk? Any organization using FortiClient EMS version 7.0.0 through 7.2.0 is vulnerable right now. If you haven't patched yet, you're essentially leaving the front door unlocked. Small and medium businesses are especially at risk because they often lack dedicated security teams to monitor for threats like this. But even large enterprises aren't safe if they've delayed updates. Here's a quick checklist to see if you're exposed: - Check your FortiClient EMS version. If it's below 7.2.1, you need to update immediately. - Look for any unauthorized admin accounts or recent configuration changes. - Monitor outbound traffic for unusual connections to unknown IP addresses. - Review logs for failed login attempts that suddenly succeeded—this could indicate the bypass in action. ### What You Can Do Right Now The best defense is simple: patch your FortiClient EMS to the latest version. Fortinet released a fix in early 2026, but many organizations haven't applied it yet. If you can't patch immediately, restrict access to the EMS interface by putting it behind a VPN or firewall. Never expose it directly to the internet. Also, consider using an antidetect browser for any sensitive work. Antidetect browsers mask your digital fingerprint, making it harder for infostealers to track your activity or steal credentials tied to your real browser profile. Tools like those from Antidetectbrowsershub can add an extra layer of protection, especially if you're managing multiple accounts or handling confidential data. ### The Bigger Picture This isn't just another vulnerability—it's a wake-up call. Credential theft is on the rise, and attackers are getting better at exploiting trusted software. The EKZ stealer is a reminder that even enterprise-grade tools can be turned against you. Staying updated, monitoring your network, and using privacy-focused tools like antidetect browsers are your best bets. Remember, security isn't a one-time fix. It's an ongoing habit. Check your systems today, patch what you can, and stay vigilant. Your data is worth the effort.