Tuesday , July 14 2026
EMS

ALERT
FortiClient EMS Code Execution Flaw Exploited to Deploy Malware

A recent phishing attack aimed at FortiClient Endpoint Management Server (EMS) has used trusted admin systems to quietly install a new password thief on company devices.

In May 2026, Arctic Wolf researchers found a group of bad actions using CVE-2026-35616, a flaw in FortiClient EMS that allows improper access.

Meta’s louisiana data center to exceed 250 billion price tag

Meta announced on Monday that its data center in Richland Parish, Louisiana, will grow to 5 gigawatts of computing power....
Read More
Meta’s louisiana data center to exceed 250 billion price tag

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

Attackers Abused FortiClient’s Own Infrastructure

After the attackers got into the EMS settings, they changed the Remote Access Profile and endpoint rules to add harmful scripts that targeted all managed devices.

FortiClient EMS lets scripts run when a VPN tunnel is set up with on_connect commands. Attackers misused this real feature.

When affected endpoints are connected via an IPsec tunnel, fortitray.exe launched .cmd script files with GUID-based filenames stored within FortiClient’s standard VPN logging path:
C:\Program Files\Fortinet\FortiClient\logs\Trace\scripts\{GUID}.cmd

These scripts decoded and executed a base64-encoded PowerShell payload that downloaded the malicious executable, ran it silently, waited 90 seconds, and exfiltrated output via HTTP POST to a threat-actor-controlled VPS at 83[.]138.53[.]110.

The observed process lineage was:
fortitray.exe or ipsec.exe → cmd.exe → powershell.exe → FortiEndpoint_Patch.exe

Initial exploitation was also linked to login events from multiple Tor exit node IPs, including 185[.]220.101.15 and 192[.]42.116.14, within hours of the API authentication bypass.

EKZ Infostealer – Credential Harvesting Tool

The downloaded file, hidden as FortiEndpoint_Patch.exe, is a Windows program made with MinGW. It is linked to Arctic Wolf and called EKZ Infostealer, named after certain symbols found in its code. This tool was first seen in May 2026 and has not been recorded before.

EKZ aims at both Chromium browsers (like Chrome and Edge) and Gecko browsers (like Firefox, LibreWolf, and Thunderbird). For Chromium browsers, it finds where they are installed in the registry, copies itself into the browser’s Application\ folder to pass a check, and uses IElevator::DecryptData to get the v20 AES-256 master key to decrypt account databases.

Indicators of Compromise

Indicator Type Description
83[.]138.53[.]110 IP Address Threat-actor-controlled C2/payload host
185[.]220.101.15 IP Address Tor exit node used for login
192[.]42.116.14 IP Address Tor exit node used for login
0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e SHA-256 EKZ Infostealer (FortiEndpoint_Patch.exe)
FortiEndpoint_Patch.exe / p.exe Filename Malicious credential stealer binary
hxxp[:]//83.138.53[.]110/dl/p.exe URL Payload delivery URL

Mitigations

Patch immediately — Upgrade FortiClient EMS to a fixed version addressing CVE-2026-35616
Restrict management port access — Limit network access to EMS port 8013 to trusted IP ranges only
Audit VPN script configurations — Review on_connect and script directives within Remote Access Profiles for unauthorized entries
Hunt for IOCs — Search endpoint logs for GUID-named .cmd files in FortiClient’s logs\Trace\scripts\ path and anomalous fortitray.exe process chains
Rotate browser credentials — Treat all credentials and session cookies on managed endpoints as potentially compromised

Organizations using FortiClient EMS should see this as an urgent issue. If one EMS is compromised, it can lead to problems for all managed endpoints.

Check Also

Tenda

CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Several Tenda firmware versions have a hidden backdoor that lets people gain admin access to …