{"id":258735,"date":"2026-05-28T11:26:00","date_gmt":"2026-05-28T15:26:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/28\/threat-actors-exploit-critical-forticlient-ems-flaw-to-deploy-credential-stealer\/"},"modified":"2026-05-29T10:20:08","modified_gmt":"2026-05-29T14:20:08","slug":"threat-actors-exploit-critical-forticlient-ems-flaw-to-deploy-credential-stealer","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/28\/threat-actors-exploit-critical-forticlient-ems-flaw-to-deploy-credential-stealer\/","title":{"rendered":"Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer"},"content":{"rendered":"

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/05\/threat-actors-exploit-critical.html<\/a><\/p>\n

Publish Date: 2026-05-28 11:26:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802May 28, 2026<\/span><\/span>Vulnerability \/ Endpoint Security<\/span><\/p>\n

Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware.<\/p>\n

“The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints,” Arctic Wolf said. “Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell.”<\/p>\n

The activity, observed by the cybersecurity company in May 2026, involves the exploitation of CVE-2026-35616 (CVSS score: 9.1), a critical pre-authentication API access bypass leading to privilege escalation. The issue was addressed by Fortinet in FortiClient EMS 7.4.7 and later.<\/p>\n

A successful compromise is followed by the threat actor taking steps to modify configurations to defer firmware upgrade reminders, as well as modifying a Remote Access Profile configuration and endpoint policy to insert a malicious script for execution on endpoint devices.<\/p>\n

“The observed execution pattern suggests that threat actors used FortiClient’s own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations,” Arctic Wolf said.<\/p>\n

“Once the threat actors had a route to modify EMS-managed configuration, every managed endpoint became a potential execution target without requiring a separate intrusion path to each device.”<\/p>\n

\"\"<\/p>\n

In addition, the attack has been found to leverage “fortitray.exe,” a legitimate executable associated with FortiClient to launch a .cmd script file using “cmd.exe.” The .cmd script is designed to invoke a Base64-encoded PowerShell script that, in turn, is responsible for downloading a malicious payload, running it, and exfiltrating the results to “83.138.53[.]110” via an HTTP POST request.<\/p>\n

The executable, named “FortiEndpoint_Patch.exe,” masquerades as an update,…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer https:\/\/thehackernews.com\/2026\/05\/threat-actors-exploit-critical.html Publish Date: 2026-05-28…<\/p>\n","protected":false},"author":1,"featured_media":258736,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiLo8Mb8UwcN2lkMlnUi-l3a8DXNNL2_dW0VcATt8d34xxXX-kQN8HMolrIuw8ty0WZmpURI7hyphenhyphenDrvCAiKAarvJU1__tzxaKMxX3U4ZJbuwydE2zGoyFmutxDtid410NLBq_wi7fv_QFMdmkHGqRPwVcLY8xfeJ1PSb46o0RpCA4ubLLl8_LlLg-Id7ceU8\/s1600\/fort.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,32,34,27],"class_list":["post-258735","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-malware","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/258735"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=258735"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/258735\/revisions"}],"predecessor-version":[{"id":258737,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/258735\/revisions\/258737"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/258736"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=258735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=258735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=258735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}