Likelihood: HIGH
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
FortiClient EMS is a perimeter-facing management server; internet-exposed instances running versions 7.4.5–7.4.6 are directly reachable by the threat actor, and the EKZ campaign's delivery mechanism (disguised as a legitimate Fortinet update via VPN scripting) requires no user suspicion to succeed. Impact is very high because successful credential and session-cookie harvest bypasses all password-based controls across enterprise applications, enabling lateral movement and data exfiltration at a scope that extends well beyond the initially compromised endpoint.
Treatment rationale: The combination of a critical authentication bypass in a perimeter-facing system and an active infostealer campaign means neither acceptance nor transfer adequately contain the immediate exposure — the attack path must be closed through patch application and exposure reduction before residual risk can be transferred or accepted.
Third-Party / Supply-Chain Risk
FortiClient EMS functions as a centralized endpoint management and policy-distribution platform for FortiGate VPN infrastructure; organizations relying on Fortinet as a managed service, or using FortiClient EMS to manage endpoints across subsidiary or partner environments, face supply-chain propagation risk — EKZ delivered via the VPN scripting workflow could reach endpoints owned by third parties who trust the EMS server as an authoritative update source (NIST SP 800-161 Tier 2/3 exposure: shared platform dependency).
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M per affected organization
Frequency: For an internet-exposed FortiClient EMS instance running a vulnerable version, illustrative event probability within a 12-month window is moderate-to-high given active campaign targeting; estimated at 1-in-3 to 1-in-2 for unpatched, exposed organizations while exploitation activity persists
Annualized: Illustrative ALE $250K–$2.5M per exposed organization (loss magnitude midpoint ~$1.5M × illustrative frequency ~0.4); range reflects uncertainty in breach scope and whether harvested credentials are used for ransomware deployment versus targeted data theft
Basis: Loss magnitude derived from: (1) credential and session-token harvest enabling lateral movement — incident-response and forensics costs are the primary cost driver; (2) business email compromise and cloud-service access as downstream consequence of session hijacking — operational disruption and data-exfiltration remediation; (3) potential regulatory notification costs if PII or payment data was accessible via compromised accounts. Frequency derived from: active infostealer campaign targeting a specific, identifiable version range with a critical authentication bypass — exposure is not theoretical. All figures are illustrative constructs, not drawn from any external benchmark or report.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Browser-saved payment card data harvested by EKZ may constitute a payment card breach triggering PCI DSS incident-notification obligations — verify with counsel and QSA.
• Session-cookie and credential theft affecting systems processing personal data may invoke state-level breach-notification statutes and GDPR Article 33 notification obligations — verify with counsel.
• Cyber-insurance policies with 'known exploited vulnerability' or 'unpatched critical CVE' exclusions may be implicated if patching was not applied within policy-specified windows — verify with broker.
• If FortiClient EMS is deployed in a managed service or outsourced IT arrangement, contractual SLA and incident-disclosure obligations to the service provider or downstream clients may be triggered — verify with counsel.
