Hackers are exploiting a critical authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deploy EKZ infostealer malware. This malware is disguised as a legitimate update for Fortinet endpoints and is executed through VPN scripting workflows. The flaw allows unauthenticated remote attackers to run arbitrary code via specially crafted requests. Fortinet confirmed the exploitation in early April and issued emergency hotfixes for versions 7.4.5 and 7.4.6. Following this, the Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to secure their systems. Arctic Wolf observed that the EKZ malware targets sensitive information, including credentials and credit card data, by extracting stored data from browsers. The malware circumvents encrypted password protections, making it particularly dangerous. Researchers recommend monitoring for specific log entries that indicate exploitation attempts and suggest vigilance against suspicious administrative activities. Arctic Wolf's report includes detailed detection strategies to help organizations defend against these attacks.