A critical access-control flaw in FortiClient EMS was used to push a fake Fortinet update, run scripts through trusted VPN workflows, and drop the EKZ infostealer on managed endpoints.