Threat actors are abusing a patched FortiClient Endpoint Management Server flaw in May 2026 to deliver a credential-stealing malware package to managed devices, according to a technical analysis from Arctic Wolf. The campaign uses CVE-2026-35616, a critical pre-authentication API access bypass with privilege escalation, and disguises the payload as a Fortinet update.
KEY FACTS
- Vulnerability CVE-2026-35616 carries a 9.1 CVSS score.
- Fix Fortinet addressed the flaw in FortiClient EMS 7.4.7 and later.
- Payload The malware is named FortiEndpoint_Patch.exe and poses as an update.
- Stealer data It targets passwords, cookies, autofill data and other browser information.
The report said the activity was observed in May 2026. After gaining access, the attackers changed settings to delay firmware upgrade reminders and modified a Remote Access Profile and endpoint policy to add a malicious script.
The execution chain used fortitray.exe, a legitimate FortiClient component, to launch a .cmd file through cmd.exe. That script then ran a Base64-encoded PowerShell command that downloaded the payload, executed it and sent results to 83.138.53.110 through an HTTP POST request.
The stealer writes captured data to a log file in the ProgramData directory. The report said it lacks its own network exfiltration feature, with PowerShell handling the transfer of stolen information to attacker-controlled infrastructure.
Arctic Wolf said the campaign abused trusted endpoint management infrastructure to push malicious PowerShell commands in a way that resembled legitimate administration. It also warned that stolen session cookies and saved credentials could allow follow-on access to cloud services and internal applications, including cases where session reuse may bypass MFA prompts.
WHY IT MATTERS
The case shows how a single EMS compromise can expose many managed endpoints at once and turn routine management tools into a delivery path for malware. It also raises the risk that stolen browser data could be used to access additional accounts and services even after the initial intrusion.