Contact us
Contact us

News

About

Home Crypto News Attackers use FortiClient EMS flaw to push credential stealer

Attackers use FortiClient EMS flaw to push credential stealer

Author Whitewallet Research
Posted: 28 May 2026, 16:32 CET 2 min read

Attackers exploited CVE-2026-35616 in FortiClient EMS in May 2026 to push a fake FortiEndpoint_Patch.exe update that installed a PowerShell credential stealer on managed endpoints.

In May 2026 attackers exploited a pre-authentication API bypass in FortiClient Endpoint Management Server tracked as CVE-2026-35616 to push a fake update named FortiEndpoint_Patch.exe. The update installed a PowerShell-based credential stealer on devices managed by EMS.

The vulnerability allowed unauthorized access to EMS management functions. Attackers changed EMS configurations, modified a Remote Access Profile and an endpoint policy, and inserted a malicious script for execution on endpoints.

Arctic Wolf observed the activity and described how the attackers used the EMS management channel to deliver the malware. The campaign used fortitray.exe, a legitimate FortiClient executable, to launch a .cmd script via cmd.exe. The .cmd script decoded a Base64 PowerShell payload that downloaded and ran the main malicious component and posted stolen data to 83.138.53.110 over HTTP.

The file distributed as an update, FortiEndpoint_Patch.exe, is a previously unreported Windows information stealer that extracts saved passwords, session cookies and browser autofill data, including credit card numbers, addresses and phone numbers, from Chromium- and Gecko-based browsers. The stealer writes collected data to a log file in the ProgramData directory; it does not contain its own network exfiltration routine.

CVE-2026-35616 carries a 9.1 CVSS score. Fortinet released fixes in FortiClient EMS 7.4.7 and later. Organizations running EMS should apply the update and inspect management configurations for unauthorized changes such as deferred firmware reminders, altered remote access profiles and unexpected endpoint policies.

Security teams are advised to search for the FortiEndpoint_Patch.exe file, unusual use of fortitray.exe or cmd.exe to run scripts, Base64-encoded PowerShell commands and outbound HTTP POSTs to unfamiliar IP addresses. Because session cookies and saved credentials can provide access to cloud services and internal applications, teams should consider resetting service tokens and invalidating user sessions for devices managed by a compromised EMS.

Arctic Wolf noted, “The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints.”

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE