Exploitation of FortiClient EMS (CVE‑2026‑35616): Credential Theft

Colleagues, please note: active exploitation of CVE‑2026‑35616 has been observed.
Arctic Wolf described a campaign: API bypass (CVSS 9.1) enabled attackers to escalate privileges, alter FortiClient EMS configurations, and execute scripts on managed endpoints.
The attack masqueraded as an update: FortiEndpoint_Patch.exe, via fortitray.exe, launched a .cmd containing Base64-encoded PowerShell that downloaded a stealer and exfiltrated passwords, cookies and autofill data. The vulnerability is fixed in EMS 7.4.7+.
I recommend updating EMS and reviewing remote access policies and configuration integrity.
Why this matters: EMS compromise enables mass infection and service access, including MFA bypass.
Have you updated EMS in your environment?
#cybersecurity #endpointsecurity #FortiClient #vulnerabilities


Latest comments
No comments yet.