Threat actors are continuing to actively exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments, leveraging the compromised infrastructure to deliver sophisticated credential-stealing malware. This ongoing campaign, identified and detailed by cybersecurity firm Arctic Wolf in May 2026, underscores the persistent danger posed by unpatched vulnerabilities in widely used enterprise management solutions and the ingenious methods employed by adversaries to weaponize trusted systems against their legitimate users. The exploitation of this specific vulnerability allows attackers to gain deep access into an organization’s network, turning a central security management tool into a vector for widespread compromise, primarily aimed at harvesting sensitive authentication data.
The core of this malicious activity revolves around CVE-2026-35616, a critical pre-authentication API access bypass vulnerability rated with a CVSS score of 9.1, indicating severe potential impact. Fortinet, the vendor behind FortiClient EMS, had previously addressed this flaw in April 2026 with the release of FortiClient EMS 7.4.7 and subsequent versions. Despite the availability of a patch, Arctic Wolf’s observations confirm that malicious actors are still successfully exploiting instances where organizations have not yet applied the necessary updates, demonstrating the critical lag between patch availability and enterprise-wide deployment that often serves as a window of opportunity for cybercriminals. The campaign observed by Arctic Wolf specifically abuses the inherent trust placed in endpoint management infrastructure, enabling the seamless delivery of malware across a multitude of managed endpoints. Attackers cleverly disguise their credential-stealing payload as a legitimate Fortinet endpoint update, executing the malicious executable silently through PowerShell commands, thereby blending their nefarious activities with routine system operations and making detection significantly more challenging for conventional security measures.
The Critical Flaw: CVE-2026-35616 Unpacked
CVE-2026-35616 represents a severe security lapse within the FortiClient Endpoint Management Server, a centralized platform designed to manage and secure a vast array of endpoint devices within an enterprise network. The vulnerability is categorized as a pre-authentication API access bypass, a particularly dangerous type of flaw because it allows an attacker to gain unauthorized access to the system’s API without needing any prior authentication credentials. This bypass then leads directly to privilege escalation, meaning the attacker can effectively assume administrative control over the EMS server itself. In practical terms, this vulnerability grants an unauthenticated attacker the ability to interact with the EMS server’s core functionalities as if they were a fully authorized administrator. The CVSS score of 9.1 (Critical) reflects the maximum potential impact, indicating that successful exploitation could lead to complete compromise of confidentiality, integrity, and availability of the affected system and potentially the entire network it manages.
Fortinet, a global leader in cybersecurity solutions, develops a wide range of security products, including firewalls, endpoint protection, and security management platforms like FortiClient EMS. Given the pervasive deployment of Fortinet products across various industries, any critical vulnerability in their software carries significant implications for global cybersecurity. The swift patching of CVE-2026-35616 in April 2026 through versions 7.4.7 and later of FortiClient EMS highlights Fortinet’s commitment to addressing security concerns. However, the ongoing exploitation observed a month later by Arctic Wolf underscores the operational challenges organizations face in applying patches promptly across complex IT environments, particularly for systems that are often critical to daily operations and thus require careful planning for downtime. This window of vulnerability, even if short, provides ample opportunity for determined threat actors to breach defenses.
A Coordinated Campaign: Timeline and Discovery
The chronology of this particular threat campaign provides crucial insights into the lifecycle of high-impact vulnerabilities. The initial disclosure and subsequent patching of CVE-2026-35616 by Fortinet occurred in April 2026. This period typically triggers a race between defenders to apply updates and attackers to reverse-engineer patches to develop exploits. Unfortunately, in this scenario, threat actors appear to have moved rapidly, taking advantage of the time before patches could be universally deployed. Arctic Wolf’s detailed observations in May 2026 confirm active exploitation, indicating that within weeks of the patch release, malicious campaigns were already underway, targeting unpatched FortiClient EMS installations.
Arctic Wolf, a prominent cybersecurity company known for its security operations solutions and threat detection capabilities, played a pivotal role in uncovering the specifics of this campaign. Their security researchers and analysts identified the distinctive patterns of exploitation, the methods of malware delivery, and the nature of the infostealer payload. Their report serves as a critical alert to the broader cybersecurity community, providing actionable intelligence necessary for organizations to detect and mitigate these ongoing attacks. The discovery highlights the importance of continuous threat hunting and proactive monitoring, especially in environments utilizing widely deployed management software that can become high-value targets for adversaries. Without the vigilance of firms like Arctic Wolf, such stealthy and impactful campaigns might continue undetected for much longer, leading to more widespread damage.
Anatomy of the Attack: From Exploitation to Data Exfiltration
The attack chain observed by Arctic Wolf is sophisticated, demonstrating a deep understanding of FortiClient EMS functionalities and an ability to weaponize legitimate system features for malicious ends.
Gaining Control of FortiClient EMS
The initial phase of the attack leverages CVE-2026-35616 to bypass pre-authentication API access controls. This critical step grants the threat actor privileged access to the FortiClient EMS server. Once administrative control is established over the EMS, the attackers gain a formidable foothold within the network. The EMS, by its very nature, is designed to exert control over managed endpoints, making it an ideal central point for distributing malware or executing commands across an entire fleet of devices. This effectively turns a security management system into a powerful command-and-control server for the attackers, capable of reaching every connected endpoint without needing to compromise each device individually.
Weaponizing Trust: Deploying the Malicious Payload
Following the initial compromise, the threat actors systematically modify EMS configurations to facilitate their malicious objectives. One key step involves altering settings to defer firmware upgrade reminders. This modification is strategic: it helps prevent legitimate updates from potentially disrupting their ongoing operations or patching the very vulnerability they are exploiting. Simultaneously, they modify a Remote Access Profile configuration and an endpoint policy. These changes are crucial as they allow the insertion of a malicious script designed for execution on endpoint devices. Arctic Wolf emphasizes that "The observed execution pattern suggests that threat actors used FortiClient’s own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations." This abuse of trusted channels is highly effective because security tools and network administrators typically whitelist or inherently trust communications originating from an EMS server. By mimicking legitimate management operations, the attackers achieve a stealthy distribution mechanism, bypassing many traditional network and endpoint security controls that would otherwise flag suspicious activity. The implication is profound: "Once the threat actors had a route to modify EMS-managed configuration, every managed endpoint became a potential execution target without requiring a separate intrusion path to each device." This centralization of attack distribution significantly amplifies the scale and speed of compromise.
The attack further leverages legitimate system executables to execute its payload. Specifically, "fortitray.exe," a legitimate executable associated with FortiClient, is used to launch a .cmd script file via "cmd.exe." This .cmd script is designed to invoke a Base64-encoded PowerShell script. PowerShell, a powerful scripting language built into Windows, is frequently abused by attackers due to its native capabilities for system administration and its ability to operate "fileless," often evading signature-based detections. This Base64 encoding adds another layer of obfuscation, making it harder for simple static analysis to identify the malicious intent. The PowerShell script is then responsible for downloading the malicious payload, executing it on the endpoint, and subsequently exfiltrating the results to an attacker-controlled infrastructure located at IP address 83.138.53[.]110 via an HTTP POST request. This IP address serves as a critical Indicator of Compromise (IOC) for organizations to monitor and block.
The EKZ Infostealer: A Deceptive Threat
The downloaded executable, named "FortiEndpoint_Patch.exe," is meticulously crafted to masquerade as an authentic Fortinet update. This deceptive naming convention is a classic social engineering tactic, designed to lull users or automated systems into believing it is a benign, necessary update. However, this executable is, in reality, a previously unreported Windows information stealer. Arctic Wolf’s analysis reveals its capabilities include harvesting a wide array of sensitive data from popular Chromium- and Gecko-based browsers (e.g., Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, etc.). This data includes:
- Passwords: Stored login credentials for various websites and services.
- Cookies: Session tokens that can be reused to gain access to authenticated sessions without needing passwords, potentially bypassing Multi-Factor Authentication (MFA).
- Autofill details: Sensitive personal information such as credit card numbers, addresses, and phone numbers saved in browsers for convenience.
The infostealer operates by writing the captured data to a log file, which is then saved to the ProgramData directory on the compromised endpoint. Interestingly, the infostealer itself lacks built-in network-based exfiltration capabilities. This design choice might be a tactic to compartmentalize its functions, making it harder to trace the entire attack chain if only one component is analyzed. Instead, the previously executed PowerShell script assumes the role of transmitting this captured data to the attacker-controlled server.
Broader Ramifications: The Supply Chain Threat and Beyond
The exploitation of FortiClient EMS transcends a typical endpoint infection; it represents a sophisticated "supply chain" attack within the organization’s own network. By compromising a central management server, attackers effectively poison the well, turning a trusted security component into a conduit for malicious activity. This method is particularly insidious because it bypasses many perimeter defenses and internal segmentation strategies that might otherwise protect individual endpoints.
The implications of successful credential theft are far-reaching and potentially catastrophic. Stolen session cookies and saved browser credentials can provide threat actors with follow-on access to a multitude of critical resources:
- Cloud Services: Access to corporate cloud environments like Microsoft 365, Google Workspace, AWS, Azure, and Salesforce, potentially exposing sensitive business data, communications, and intellectual property.
- Internal Applications: Compromise of enterprise resource planning (ERP) systems, customer relationship management (CRM) software, and other proprietary applications that hold vital operational data.
- MFA Bypass: Critically, the reuse of session cookies can circumvent Multi-Factor Authentication prompts, allowing attackers to bypass an organization’s strongest authentication measures. This undermines a fundamental pillar of modern cybersecurity, as MFA is often considered the last line of defense against credential theft.
Beyond immediate data theft, the privileged access gained through EMS compromise and the subsequent credential harvesting can facilitate further lateral movement within the network. Attackers can use stolen credentials to access other systems, escalate privileges, deploy additional malware (e.g., ransomware), or exfiltrate larger volumes of sensitive data. The "trusted infrastructure" dilemma means that organizations must constantly scrutinize even their most relied-upon internal systems for signs of compromise, as these can become the weakest link if left unpatched or inadequately monitored. The reputational damage, regulatory fines (e.g., GDPR, HIPAA), and significant operational disruptions that can result from such breaches highlight the severe risks associated with these types of attacks.
Industry Response and Mitigation Strategies
Fortinet’s prompt action in patching CVE-2026-35616 in April 2026 demonstrates a responsible approach to vulnerability management. However, the ongoing exploitation underscores that a patch release is only the first step. The onus then falls on organizations to apply these updates with urgency. For FortiClient EMS users, the most immediate and critical mitigation strategy is to update their deployments to version 7.4.7 or later without delay. Organizations must prioritize patching critical infrastructure components, especially those with network-wide management capabilities, to close windows of vulnerability as quickly as possible.
Beyond immediate patching, a multi-layered defense strategy is imperative:
- Endpoint Detection and Response (EDR): Advanced EDR solutions can detect the anomalous behaviors exhibited in this campaign, such as the unusual execution of PowerShell scripts, the use of legitimate executables for malicious purposes, and suspicious network connections (like exfiltration to 83.138.53[.]110), even if signature-based antivirus misses the initial payload.
- Network Segmentation: Implementing robust network segmentation can limit the lateral movement of attackers, even if an EMS server is compromised. This ensures that a breach in one segment does not automatically lead to compromise of the entire network.
- Strong Authentication and MFA: While session reuse can bypass MFA in some cases, implementing MFA across all possible services significantly reduces the overall risk of credential-based attacks. Regularly reviewing and enforcing strong password policies remains fundamental.
- Threat Hunting: Proactive threat hunting, as exemplified by Arctic Wolf’s discovery, is crucial for identifying novel attack techniques and detecting stealthy campaigns that evade automated defenses. Organizations should actively search for indicators of compromise (IOCs) like the mentioned IP address or specific file names.
- Security Awareness Training: Educating employees about phishing, social engineering, and the importance of reporting suspicious activity can help prevent initial compromises, although this particular attack primarily targets system vulnerabilities rather than user interaction.
- Incident Response Planning: Having a well-defined and regularly tested incident response plan is vital for minimizing the impact of a successful breach. This includes procedures for isolating compromised systems, eradicating malware, recovering data, and conducting thorough post-incident analysis.
- Regular Security Audits: Continuous auditing and monitoring of critical systems like EMS can help detect unauthorized configuration changes or unusual access patterns.
The Enduring Challenge of Endpoint Security
The FortiClient EMS exploitation campaign serves as a stark reminder of the enduring and evolving challenges in securing modern enterprise environments. Threat actors are increasingly sophisticated, capable of identifying and weaponizing critical vulnerabilities in foundational security infrastructure. Their ability to leverage trusted systems and masquerade malicious activity as legitimate operations highlights the need for organizations to move beyond traditional perimeter defenses and adopt a more holistic, adaptive security posture. The rapid pace of vulnerability exploitation post-patch release emphasizes that time is a critical factor in cybersecurity. Organizations must cultivate a culture of immediate patching, continuous monitoring, and proactive threat intelligence consumption to effectively defend against persistent and adaptive adversaries. As endpoints proliferate and become more interconnected, securing them remains a paramount concern, demanding constant vigilance and strategic investment in advanced security technologies and skilled personnel.
