Hackers Exploit FortiClient Vulnerability to Deploy EKZ Credential Stealer

Hackers exploited an authentication bypass vulnerability in the FortiClient Enterprise Management Server to deploy an undocumented credential stealer known as EKZ. The attack was detected on May 28, 2026, marking a significant escalation in the use of enterprise security tools as vectors for malicious activity. The EKZ malware, previously unrecorded in public security databases, was designed to harvest sensitive user credentials from compromised systems.

The vulnerability allowed attackers to bypass standard authentication protocols within the FortiClient management infrastructure. By exploiting this gap, threat actors gained unauthorized access to the management server, enabling them to push the EKZ payload to connected endpoints. The malware operates by intercepting login sessions and capturing authentication tokens, which are then exfiltrated to command-and-control servers. Security researchers noted that the sophistication of the attack indicates a targeted operation rather than opportunistic scanning.

Fortinet, the manufacturer of the FortiClient software, has not yet issued a public statement regarding the specific incident. The company’s standard security advisory channels remain silent on the matter, leaving affected organizations to rely on internal detection mechanisms. The lack of immediate vendor response has raised concerns among cybersecurity professionals about the potential scope of the breach. Without a confirmed patch or mitigation strategy, administrators face uncertainty regarding the duration of the vulnerability’s exposure.

The EKZ stealer represents a new threat vector in the landscape of enterprise security breaches. Unlike traditional ransomware or data exfiltration tools, EKZ focuses exclusively on credential theft, suggesting a long-term espionage or access-holding objective. The malware’s code structure shows similarities to previously observed banking trojans, but its integration with enterprise management servers marks a distinct evolution in attack methodology. Analysts warn that the use of legitimate management tools for malicious deployment complicates detection, as traffic may appear benign to standard monitoring systems.

The geographic origin of the attackers remains unknown. No specific nation-state or criminal group has claimed responsibility for the operation. The timing of the attack, occurring late in the day on a Friday, may indicate an attempt to minimize immediate detection during periods of reduced administrative oversight. However, the precise motivations behind the deployment of EKZ have not been established. Questions remain regarding the number of affected organizations and whether the attackers have achieved their objectives.

Cybersecurity firms are urging enterprises to audit their FortiClient deployments and monitor for unauthorized configuration changes. Until Fortinet provides guidance, organizations are advised to implement additional authentication layers and restrict remote access to management servers. The incident underscores the growing risk of supply chain attacks and the critical need for robust endpoint protection strategies. As investigations continue, the full impact of the EKZ deployment remains unclear, leaving the cybersecurity community on alert for further developments.