Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Endpoint management platforms like FortiClient EMS are prized by enterprises for centralized control, but they also become high‑value attack surfaces when vulnerabilities surface. The CVE‑2026‑35616 flaw bypassed authentication at the API layer, granting attackers privileged access to configuration settings. By masquerading malicious code as a routine firmware update, threat actors leveraged the native fortitray.exe binary to execute a Base64‑encoded PowerShell script, a technique that evades many traditional detection tools and spreads the credential stealer across every managed endpoint.

The malicious payload, FortiEndpoint_Patch.exe, functions as a classic information stealer, siphoning saved passwords, session cookies and autofill details from Chromium‑ and Gecko‑based browsers. Because the script routes exfiltration through a separate PowerShell command, the stealer itself lacks network capabilities, complicating forensic attribution. The use of legitimate management pathways means that even organizations with robust perimeter defenses can be compromised internally, turning a trusted update mechanism into a silent delivery vector.

For security teams, the incident underscores the urgency of rapid patch deployment and continuous monitoring of EMS configuration changes. Fortinet’s release of EMS 7.4.7 addresses the API bypass, but many enterprises lag in applying updates, leaving a broad attack window. Organizations should enforce strict change‑management controls, employ behavior‑based endpoint detection, and segment management traffic to limit lateral movement. The episode also highlights a growing trend: threat actors targeting supply‑chain and management tools to harvest credentials that can bypass multi‑factor authentication and facilitate deeper breaches.