Security teams are warning again: even after patching a major flaw in Fortinet’s endpoint management platform (FortiClient EMS), attackers are reusing the access path—and weaponizing “legit update” behavior. Fortinet released an April update to fix the high-severity CVE-2026-35616 (endpoint management-related). But in May, new activity was disclosed. The pattern isn’t repeated host-by-host intrusion. Instead, attackers use a simple playbook: exploit + disguise the payload as a Fortinet-style “endpoint update,” then distribute it to devices enrolled in FortiClient EMS. Arctic Wolf reports the adversary used CVE-2026-35616 to deploy the info-stealer EKZ Infostealer onto targeted endpoints. The payload is disguised as a normal-looking patch file. Once executed, the compromised machine launches a background PowerShell routine, which kicks off the next stage of malicious execution. Worse: the attack leverages EMS management distribution, pushing malicious PowerShell scripts to registered endpoints—scaling impact fast. EKZ targets Chromium/Gecko browsers for credentials, cookies, and autofill data, with potential session/MFA bypass angles. Immediate actions: verify EMS is fully patched, hunt for suspicious “update” files, investigate backend PowerShell activity, and review distribution + browser credential theft indicators. #Fortinet #Cybersecurity #Malware #VulnerabilityManagement #IncidentResponse #EndpointSecurity
Want to learn more? Visit Explore the world, stay updated on travel insights and international affairs, and discover authentic stories from real life
评论
发表评论