FortiClient EMS Under Attack: Credential Stealer Delivered via Trusted Management Infrastructure

Threat actors are actively exploiting a critical vulnerability in **FortiClient** Endpoint Management Server (EMS) to deploy credential-stealing malware. The attackers are leveraging the trusted endpoint management infrastructure to distribute malicious payloads disguised as legitimate **Fortinet** updates, highlighting the risks associated with supply chain attacks.

2026-05-30T18:02:32 FortiClient EMS Under Attack: Credential Stealer Delivered via Trusted Management Infrastructure

![FortiClient EMS Exploit](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLo8Mb8UwcN2lkMlnUi-l3a8DXNNL2_dW0VcATt8d34xxXX-kQN8HMolrIuw8ty0WZmpURI7hyphenhyphenDrvCAiKAarvJU1__tzxaKMxX3U4ZJbuwydE2zGoyFmutxDtid410NLBq_wi7fv_QFMdmkHGqRPwVcLY8xfeJ1PSb46o0RpCA4ubLLl8_LlLg-Id7ceU8/s1600/fort.jpg) ### Exploiting CVE-2026-35616 According to **Arctic Wolf**, the campaign, detected in May 2026, abuses the **FortiClient** EMS by exploiting **CVE-2026-35616** (CVSS score: 9.1). This critical pre-authentication API access bypass allows for privilege escalation. **Fortinet** addressed the vulnerability in **FortiClient** EMS 7.4.7 and later versions. Organizations using older versions are urged to upgrade immediately. ### Attack Chain Analysis Successful exploitation allows attackers to modify configurations, defer firmware upgrade reminders, and alter Remote Access Profile settings. This enables the injection of malicious scripts designed for execution on endpoint devices. The attackers effectively weaponize **FortiClient**'s own management pathway to push malicious **PowerShell** commands, mimicking legitimate administrative operations. ![PowerShell Attack](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghV3g-iBn0vqB7P6wyNigVC8IXVfThKjK4vRI3TlPDJwWOupd9qLv2cG2Xee1KUQk3hNUJv2OJanBl4d4Q50dMYt37u7dplysUasdOvYtcyNuWssld1NzKcx3rCmz5eNms0nWnXB3VDomCyk2ZQLP2Ne03V7oSIi3wbpX9tFsAbKAXb3a7IBXZwoOes6mg/s1600/powershell.png) ### Disguised Malware: FortiEndpoint_Patch.exe The attack leverages "fortitray.exe," a legitimate **FortiClient** executable, to launch a .cmd script via "cmd.exe." This script then executes a Base64-encoded **PowerShell** script responsible for downloading and running the malicious payload, and exfiltrating stolen data to "83.138.53[.]110" via HTTP POST requests. The payload, named "FortiEndpoint_Patch.exe," is a previously undocumented Windows information stealer. It harvests sensitive data from Chromium- and Gecko-based browsers, including passwords, cookies, autofill data (credit card information, addresses, and phone numbers), and saves it to a log file in the ProgramData directory. The **PowerShell** script then transmits this data to attacker-controlled infrastructure. ### Implications and Mitigation **Arctic Wolf** emphasizes that by bypassing API authentication, threat actors can modify management configurations and execute malicious scripts on managed endpoints. Stolen session cookies and saved browser credentials can grant attackers access to cloud services, internal applications, and other authenticated resources, potentially bypassing multi-factor authentication (MFA). Organizations are advised to: * Immediately update **FortiClient** EMS to version 7.4.7 or later. * Monitor **FortiClient** EMS logs for suspicious activity. * Implement strong access controls and regularly review configurations. * Educate users about the risks of running unexpected or unsolicited software updates.

📡 Intelligence Feed

FortiClient EMS Under Attack: Credential Stealer Delivered via Trusted Management Infrastructure

✏️ Edit Article