A critical zero-day in Fortinet FortiClient EMS is under active exploitation, with threat actors delivering the EKZ infostealer disguised as a legitimate Fortinet patch update. The attack chain exploits initial access through the EMS vulnerability, then socially engineers administrators into executing the malicious payload by mimicking the vendor’s own patch distribution process. Affected organizations face credential theft from managed endpoints and potential lateral movement using stolen credentials.