The critical vulnerability CVE-2026-35616 in FortiClient Endpoint Management Server (EMS) is being actively exploited by threat actors for mass delivery of credential-stealing malware via legitimate endpoint management mechanisms. According to Arctic Wolf, which discovered the campaign in May 2026, the attackers disguise the payload as a Fortinet update and distribute it to all managed devices using the native EMS workflow. Organizations using FortiClient EMS versions below 7.4.7 must update immediately and perform a compromise assessment.
Vulnerability and exploitation mechanism
The CVE-2026-35616 vulnerability is an API-level authentication bypass that allows an unauthorized attacker to gain privileged access to EMS functionality without prior authentication. The vulnerability reportedly has a CVSS score of 9.1, which corresponds to a critical severity level. A fix is available in FortiClient EMS version 7.4.7 and later.
The key danger of this vulnerability lies in the nature of the affected component. EMS is a centralized management system for FortiClient agents on endpoints. Once attackers obtain privileged access to EMS, they effectively gain a delivery channel for arbitrary code to all managed devices, without needing separate intrusion into each one.
Attack chain
According to the Arctic Wolf report, after successfully exploiting the vulnerability, the attackers perform a sequence of actions that imitate legitimate administrative operations:
- EMS configuration modification: the attackers disable firmware update reminders to reduce the likelihood of detection, and modify the remote access profile and endpoint policy to inject a malicious script.
- Delivery via the management channel: malicious PowerShell commands are sent to managed endpoints through the standard FortiClient management mechanism, making them visually indistinguishable from legitimate administrative operations.
- Execution via a legitimate process: to run the malicious code, the attackers use fortitray.exe, a legitimate FortiClient executable, which launches a command script (.cmd) via cmd.exe.
- Payload download: the command script invokes a Base64-encoded PowerShell script that downloads and runs the malicious executable.
- Data exfiltration: the infostealer’s results are sent to the command-and-control server via HTTP POST.
This attack architecture warrants particular attention: the attackers have deliberately split functions across components. The infostealer itself (FortiEndpoint_Patch.exe) contains no network exfiltration functionality — it only collects data and stores it locally in the ProgramData directory. Stolen data is exfiltrated by a separate PowerShell script. This separation complicates detection: analysis of the executable alone will not reveal any network activity.
Infostealer capabilities
The malicious file FortiEndpoint_Patch.exe, disguised as a Fortinet update, is, according to Arctic Wolf, a previously undocumented Windows infostealer. Its functionality includes:
- Extracting saved passwords from Chromium- and Gecko-based browsers
- Stealing session cookies
- Collecting autofill data: payment card numbers, addresses, phone numbers
As the researchers note, the stolen session cookies and saved browser credentials can give attackers access to cloud services, internal applications, and other authentication-protected resources, including scenarios where session reuse allows them to bypass multi-factor authentication.
Indicators of compromise
Based on the published data, the following network indicator is known:
- Command-and-control server IP address: 83.138.53[.]110 (HTTP POST for data exfiltration)
Impact assessment
This attack poses an elevated threat for several reasons. First, FortiClient EMS is widely used in corporate environments for centralized endpoint security management. Compromise of an EMS server turns every managed device into a potential target without the need for a separate intrusion vector. Second, the use of legitimate Fortinet management channels and processes makes detection much harder for monitoring tools that are configured to trust the management infrastructure. Third, theft of session cookies creates a risk of cascading compromise: attackers may gain access to cloud services and internal applications while bypassing MFA.
It should be noted that information about active exploitation is based on data from a single research source. At the time of publication, the vulnerability is not listed in the CISA KEV catalog, and an official Fortinet security advisory for this CVE is not included in the materials provided.
Response recommendations
- Immediate update: install FortiClient EMS version 7.4.7 or later. This eliminates the API authentication bypass vulnerability.
- EMS configuration audit: review remote access profiles, endpoint policies, and firmware update settings for unauthorized changes.
- Endpoint inspection: search for the FortiEndpoint_Patch.exe file and suspicious files in the ProgramData directory on managed devices.
- Network traffic monitoring: review logs for HTTP POST requests to 83.138.53[.]110.
- PowerShell activity analysis: examine PowerShell execution logs on managed endpoints for Base64-encoded commands initiated via fortitray.exe or cmd.exe.
- Credential rotation: if signs of compromise are found, enforce password changes and session invalidation for all users of affected endpoints, including revocation of access tokens for cloud services.
- EMS access segmentation: restrict network access to the FortiClient EMS API, allowing connections only from trusted administrative addresses.
Organizations operating FortiClient EMS should treat upgrading to version 7.4.7 as a top-priority task. Even in the absence of obvious signs of compromise, it is recommended to audit the EMS server configuration and review PowerShell logs on managed endpoints for activity since May 2026, paying particular attention to actions initiated via fortitray.exe.
