Home » Tech Translated — IT Blog for Australian Businesses | All IT Services » Hackers Are Hiding an Infostealer Inside a Fake Fortinet Update
All IT Services security alert graphic — patch now
By — Managing Director |

If you run Fortinet’s FortiClient endpoint security, this one’s worth five minutes of your morning. Security firm Arctic Wolf has caught attackers abusing a known flaw in FortiClient Enterprise Management Server (EMS) — the console IT teams use to manage Fortinet software across every device — to push a fake “Fortinet patch” that’s actually an infostealer. As reported by Help Net Security, the attacks ran through May using CVE-2026-35616, an access-control bug that lets an unauthenticated attacker send crafted requests to EMS and have them treated as legitimate administrator actions.

From there it turns nasty. The attackers edited the endpoint policy inside EMS to deploy a file called FortiEndpoint_Patch.exe to managed devices. It looks like a routine update. It’s malware — a credential stealer the researchers named EKZ — and it scrapes saved passwords, autofill data and active session cookies out of every major browser, including Chrome, Edge, Firefox and Brave. The stolen session cookies are the dangerous part: they can let an attacker walk straight into your Microsoft 365 or banking portal without ever needing your password or an MFA code. Anyone running an internet-exposed, unpatched FortiClient EMS is a target — and it’s the kind of tool plenty of Australian businesses and their IT providers rely on.

Two things, today. First, make sure FortiClient EMS is on a patched version — Fortinet disclosed this flaw back in early April, so a fix is available. Second, assume anything left unpatched may already be compromised: check your EMS logs for unfamiliar admin accounts, odd logins and unexpected policy changes, then reset affected passwords and revoke active sessions across your cloud services. If card details were ever saved in a browser on an affected machine, cancel and reissue the card.

This is exactly the kind of thing managed endpoint security and monitoring is meant to catch — a trusted tool being quietly turned against you. If you’re not sure whether your Fortinet setup is patched, or who would even notice if it wasn’t, that’s worth a conversation. It’s also a sharp reminder for staff security training: not every “update” is the real thing.

Related Guide

Cybersecurity for Sydney SMBs

Explore our complete guide to protecting your business from cyber threats.

Read the Full Guide →

Posted in cybersecurity-advisory Security

About All IT Services

We’re a leading IT specialist providing premium services and support to businesses across Australia’s eastern seaboard. Our strength lies in our size – big enough to tackle complex projects yet small enough to pick up the phone when you call.  At All IT Services, our approach is refreshingly straightforward - no endless wait times or tech jargon. Just real people with genuine passion and expertise in IT solutions.

CONTACT US