Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Staff Editor 2026-05-28
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

https://thehackernews.com/2026/05/threat-actors-exploit-critical.html

Publish Date: 2026-05-28 11:26:00

Source Domain: thehackernews.com

Ravie LakshmananMay 28, 2026Vulnerability / Endpoint Security

Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware.

“The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints,” Arctic Wolf said. “Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell.”

The activity, observed by the cybersecurity company in May 2026, involves the exploitation of CVE-2026-35616 (CVSS score: 9.1), a critical pre-authentication API access bypass leading to privilege escalation. The issue was addressed by Fortinet in FortiClient EMS 7.4.7 and later.

A successful compromise is followed by the threat actor taking steps to modify configurations to defer firmware upgrade reminders, as well as modifying a Remote Access Profile configuration and endpoint policy to insert a malicious script for execution on endpoint devices.

“The observed execution pattern suggests that threat actors used FortiClient’s own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations,” Arctic Wolf said.

“Once the threat actors had a route to modify EMS-managed configuration, every managed endpoint became a potential execution target without requiring a separate intrusion path to each device.”

In addition, the attack has been found to leverage “fortitray.exe,” a legitimate executable associated with FortiClient to launch a .cmd script file using “cmd.exe.” The .cmd script is designed to invoke a Base64-encoded PowerShell script that, in turn, is responsible for downloading a malicious payload, running it, and exfiltrating the results to “83.138.53[.]110” via an HTTP POST request.

The executable, named “FortiEndpoint_Patch.exe,” masquerades as an update,…

Source

More Stories

CISA urges security teams to check for software development compromises

CISA urges security teams to check for software development compromises

Staff Editor 2026-05-29
Cybersecurity Enters New Era as AI Unleashes Vulnerability Storm

Cybersecurity Enters New Era as AI Unleashes Vulnerability Storm

Staff Editor 2026-05-29
Tanium Teams Up With Censys to Strengthen Enterprise Cybersecurity Visibility

Tanium Teams Up With Censys to Strengthen Enterprise Cybersecurity Visibility

Staff Editor 2026-05-29

Terms and Conditions - Privacy Policy