Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

In early May 2026, Arctic Wolf observed a coordinated attack against organizations that use FortiClient Endpoint Management Server (EMS). The adversaries abused a critical pre‑authentication API bypass (CVE‑2026‑35616, CVSS 9.1) to gain privileged access to the EMS console, then used the legitimate management channel to push a malicious PowerShell payload disguised as a routine Fortinet update.

---

What happened?

• Vulnerability: CVE‑2026‑35616 is an unauthenticated API access bypass that lets an attacker issue privileged EMS commands without a valid token. The flaw resides in the api/v1/ems/config endpoint, which fails to enforce proper authentication checks when processing configuration changes.
• Exploitation flow:
  1. The attacker sends a crafted HTTP request to the vulnerable EMS API, gaining SYSTEM‑level rights on the management server.
  2. Using those rights, they modify a Remote Access Profile and an endpoint policy to inject a malicious script.
  3. The script invokes fortitray.exe, a legitimate FortiClient binary, to launch a hidden cmd.exe process that runs a Base64‑encoded PowerShell command.
  4. The PowerShell command downloads a second‑stage payload – FortiEndpoint_Patch.exe – and sends harvested browser data to 83.138.53[.]110 via an HTTP POST.
• Payload: The second‑stage binary is an information stealer that extracts passwords, cookies, and autofill data from Chromium‑ and Gecko‑based browsers. It writes the data to %ProgramData%\FortiEndpoint\log.txt. The stealer itself does not perform network communication; the PowerShell wrapper handles exfiltration.

---

Why it matters

FortiClient EMS is widely deployed in large enterprises to enforce endpoint policies, push software updates, and collect telemetry. By compromising the EMS server, attackers obtain a single point of control that can reach every managed device without needing separate footholds on each endpoint. This amplifies the impact of a single breach and makes detection harder because the malicious activity travels through trusted management channels.

---

Expert insight

"The campaign demonstrates how attackers are moving from traditional ransomware drop‑points to living‑off‑the‑land techniques that abuse legitimate admin tools," says Mike McClure, senior threat analyst at Arctic Wolf. "Once the EMS configuration is compromised, the threat actor can push any script or binary, effectively turning the management server into a remote execution platform."

---

Immediate mitigation steps

1. Apply the patch – Upgrade all FortiClient EMS installations to version 7.4.7 or later. Fortinet’s advisory includes the updated API logic and additional logging for configuration changes.
2. Restrict network access – Limit inbound traffic to the EMS API to known management subnets. Use firewall rules or Zero‑Trust Network Access (ZTNA) to block any external IPs.
3. Enforce MFA on the console – Even though the vulnerability bypasses token checks, enabling MFA for any interactive login adds a second barrier for attackers who might try to obtain legitimate credentials.
4. Audit configuration changes – Review the EMS audit logs for any modifications to Remote Access Profiles or endpoint policies made after the breach window (May 1‑15, 2026). Look for entries that reference fortitray.exe or unknown PowerShell commands.
5. Endpoint hardening – On managed Windows devices, enable Constrained Language Mode for PowerShell and enforce AppLocker rules that only allow signed FortiClient binaries to execute.
6. Network monitoring – Deploy a detection rule that flags outbound HTTP POST requests to the IP range 83.138.53.0/24 from internal hosts, especially when paired with PowerShell base64 payloads.

---

Longer‑term defenses

• Zero‑trust segmentation – Separate the EMS server from the rest of the corporate network. Even if the server is compromised, the attacker would still need to traverse additional segments to reach endpoints.
• API gateway – Place a reverse‑proxy in front of the EMS API that can enforce strict authentication, rate‑limit requests, and log all payloads for later analysis.
• Supply‑chain monitoring – Regularly scan FortiClient binaries with a tool like Microsoft Defender for Endpoint or CrowdStrike Falcon to detect any unsigned modifications.

---

Resources

• Fortinet security advisory – CVE‑2026‑35616 Patch Details
• Arctic Wolf technical blog – How Threat Actors Abuse FortiClient EMS
• Microsoft’s guide to Constrained Language Mode – PowerShell Security

---

Takeaway

The FortiClient EMS breach underscores the danger of trusted management pathways being turned against an organization. Prompt patching, strict network segmentation, and vigilant monitoring of configuration changes are the most effective ways to neutralize this class of attacks.