A critical authentication bypass in Fortinet's FortiClient Enterprise Management Server (EMS) is being actively exploited in the wild to distribute a previously undocumented credential-stealing malware tracked as EKZ, according to a report published by BleepingComputer.
The vulnerability, catalogued as CVE-2026-35616, targets the management plane that organisations use to oversee FortiClient deployments across their fleets — making the flaw particularly dangerous. A successful attack on a single EMS instance could theoretically give threat actors a foothold to reach every endpoint managed through that server.
What Is Known About the Attack
Fortinet has confirmed that the authentication bypass is being exploited in active campaigns. Attackers leveraging the flaw are pushing EKZ, a credential stealer that had not been documented by the security community prior to this disclosure.
Details about EKZ's full capabilities remain limited. Based on its classification as a credential stealer, it is understood to target stored authentication data on compromised machines — a category of malware that typically harvests browser passwords, session tokens, and similar sensitive material. However, the specific techniques EKZ employs, its origins, and the threat actors behind it have not yet been publicly detailed.
Why This Matters
Compromising an Enterprise Management Server is like getting the keys to the castle's control room. These platforms exist to centralise and simplify endpoint security administration — applying policies, pushing updates, and maintaining visibility across potentially thousands of devices. When an attacker subverts that central point of trust, they inherit its authority over every connected machine.
For organisations running FortiClient EMS, the scenario represents a worst-case management-plane compromise: attackers do not need to breach individual endpoints one by one when they can instead subvert the central server that controls them.
Remediation
Fortinet has issued a security advisory addressing the vulnerability. Organisations running FortiClient EMS should take the following steps immediately:
- Apply the relevant patch provided by Fortinet for the affected EMS version.
- Audit EMS logs for any signs of unauthorised access or anomalous activity that may indicate prior exploitation.
- Review endpoint telemetry managed through the EMS for indicators of compromise associated with EKZ.
- Restrict network access to the EMS management interface to minimise exposure, particularly from untrusted networks.
Given the active exploitation status, deferring patching is inadvisable. The combination of a centralised management tool and credential-stealing malware creates a compounding risk that grows with every unpatched hour.
Broader Context
Fortinet products have repeatedly drawn the attention of both defenders and attackers due to their widespread enterprise adoption. Vulnerabilities in the company's appliances and management software have been frequent targets for initial access brokers and ransomware operators alike. The emergence of a novel malware payload — EKZ — alongside this particular flaw suggests that threat actors may have been preparing to leverage the vulnerability for some time before public disclosure.
Security researchers will likely publish additional technical analysis of EKZ in the coming days and weeks, which should shed light on its full feature set, distribution methods, and any connections to known threat groups.
Editorial note: The CVE identifier cited in this article (CVE-2026-35616) carries an atypical year prefix. Readers are advised to verify the confirmed identifier through Fortinet's official advisory portal or the NIST National Vulnerability Database (NVD) and check for any subsequent updates.
根據 BleepingComputer 發佈的報告,Fortinet 的 FortiClient 企業管理伺服器(EMS)中一個嚴重的身份驗證繞過漏洞正被積極利用,以傳播一種先前未有記錄的、被追蹤為 EKZ 的憑證盜竊惡意軟件。
該漏洞(編號為 CVE-2026-35616)瞄準企業用於集中管理其所有 FortiClient 部署的管理平面——這使得該漏洞尤其危險。理論上,成功攻擊單一 EMS 實例即可為威脅行為者提供立足點,進而存取透過該伺服器管理的每一個端點。
關於此攻擊的已知資訊
Fortinet 已確認此身份驗證繞過漏洞正被用於進行中的攻擊活動。利用此漏洞的攻擊者正在散播 EKZ,這是一種在此次披露前尚未被安全界記錄的憑證盜竊程式。
關於 EKZ 完整功能的細節仍然有限。根據其作為憑證盜竊程式的分類,可理解為其目標是受感染機器上儲存的身份驗證資料——這類惡意軟件通常會竊取瀏覽器密碼、會話權杖及類似的敏感材料。然而,EKZ 所採用的具體技術、其來源以及幕後的威脅行為者尚未被公開詳述。
為何此事至關重要
入侵企業管理伺服器猶如取得城堡控制室的鑰匙。這些平台的存在是為了集中化和簡化端點安全管理——套用策略、推送更新,並維持對潛在數千台設備的可見性。當攻擊者顛覆了這個信任中心點時,他們便繼承了其對所有連接機器的控制權限。
對於執行 FortiClient EMS 的企業而言,此情景代表了最壞情況的管理平面入侵:攻擊者無需逐一攻破個別端點,他們只需顛覆控制這些端點的中央伺服器即可。
應對措施
Fortinet 已就該漏洞發佈安全公告。執行 FortiClient EMS 的組織應立即採取以下步驟:
- 套用相關修補程式:套用 Fortinet 為受影響 EMS 版本提供的修補程式。
- 審查 EMS 日誌:檢查任何可能表示先前已遭利用的未經授權存取或異常活動跡象。
- 檢查端點遙測數據:審查透過 EMS 管理的端點數據,查找與 EKZ 相關的入侵指標。
- 限制網絡存取:將對 EMS 管理介面的網絡存取權限限制至最小範圍,尤其是來自不受信任網絡的存取,以減少暴露風險。
鑑於漏洞正被積極利用的狀態,延遲修補是不可取的。集中管理工具與憑證盜竊惡意軟件的結合會產生複合風險,且隨著每一個未修補的小時而增長。
更廣泛背景
由於在企業中的廣泛採用,Fortinet 的產品持續吸引著防禦者和攻擊者的注意。該公司設備和管理軟件中的漏洞一直是初始存取掮客和勒索軟件操作者的常見目標。此次特定漏洞伴隨著新型惡意軟件承載程式 EKZ 的出現,暗示威脅行為者可能在漏洞公開披露前的一段時間就已準備好利用它。
安全研究人員很可能在未來數日或數週內發佈關於 EKZ 的更多技術分析,這將有助於揭示其完整功能集、傳播方法以及與已知威脅組織的任何關聯。
編者註:本文引用的 CVE 識別碼(CVE-2026-35616)帶有非典型的年份前綴。建議讀者透過 Fortinet 的官方公告入口網站或美國國家標準技術研究院的國家漏洞資料庫(NVD)驗證已確認的識別碼,並檢查是否有任何後續更新。