Hackers exploit FortiClient EMS flaw to push infostealer malware
Summary
Hackers are exploiting a critical vulnerability in FortiClient EMS to deploy a new infostealer malware known as EKZ. The vulnerability, an authentication bypass flaw, allows attackers to gain unauthorized access and push the malware to vulnerable systems.
IFF Assessment
The exploitation of a vulnerability to deploy malware that steals credentials represents a direct threat to defenders and their organizations.
Severity
The vulnerability allows for authentication bypass, enabling remote code execution and the subsequent deployment of malware, posing a critical risk with a high attack vector and significant impact.
CISA KEV: Listed as actively exploited. Federal patch due: April 09, 2026. Known ransomware use: Unknown.
Defender Context
This highlights the urgent need for organizations using FortiClient EMS to patch this vulnerability immediately, as it is actively being exploited. Defenders should also be on alert for indicators of compromise related to the EKZ infostealer and enhance their endpoint detection and response capabilities.