VMTech
+381 11 4150 20024/7 Discuss a project
← All Instagram insights VMTECH · INSTAGRAM

Exploitation of FortiClient EMS (CVE‑2026‑35616): Credential Theft

Эксплуатация FortiClient EMS (CVE-2026-35616): кража учётных данных

Colleagues, please note: active exploitation of CVE‑2026‑35616 has been observed.

Arctic Wolf described a campaign: API bypass (CVSS 9.1) enabled attackers to escalate privileges, alter FortiClient EMS configurations, and execute scripts on managed endpoints.

The attack masqueraded as an update: FortiEndpoint_Patch.exe, via fortitray.exe, launched a .cmd containing Base64-encoded PowerShell that downloaded a stealer and exfiltrated passwords, cookies and autofill data. The vulnerability is fixed in EMS 7.4.7+.

I recommend updating EMS and reviewing remote access policies and configuration integrity.

Why this matters: EMS compromise enables mass infection and service access, including MFA bypass.

Have you updated EMS in your environment?

#cybersecurity #endpointsecurity #FortiClient #vulnerabilities

Latest comments

No comments yet.