Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. The attacker disguised the malware as an update for Fortinet endpoints and executed it through VPN scripting workflows managed by FortiClient. The exploited critical vulnerability is an improper access control flaw that allows unauthenticated remote attackers to execute arbitrary code or commands via specially crafted requests. Fortinet confirmed in early April that it was being exploited and released emergency hotfixes for versions 7.4.5 and 7.4.6 of the product. CISA reacted quickly to the malicious activity and ordered federal agencies to secure their instances by the end of that week, while the internet security watchdog group The Shadowserver Foundation reported at the time that it was seeing 2,000 internet-exposed EMS instances. Earlier this month, cybersecurity company Arctic Wolf observed attacks leveraging the vulnerability to deliver the EKZ infostealer. The researchers note that the intrusion begins with abusing endpoint APIs to perform administrative actions without authentication. The attacker then modifies the EMS configuration and VPN policies to introduce the execution of malicious scripts. Seconds after endpoints established an IPsec tunnel to a FortiGate firewall, the legitimate fortitray.exe launched malicious batch scripts through Command Prompt. Those scripts executed a base64-encoded PowerShell payload that downloaded and ran malware disguised as a Fortinet patch, then exfiltrated data to an attacker-controlled VPS over HTTP.