Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

2026-05-28

1 min read

by info@thehackernews.com (The Hacker News)

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Threat actors exploit CVE-2026-35616, a critical FortiClient EMS vulnerability, to deploy credential-stealing malware disguised as endpoint updates.

•CVE-2026-35616: critical pre-authentication API bypass (CVSS 9.1) enabling privilege escalation in FortiClient EMS versions before 7.4.7
•Attack leverages FortiClient's management pathway to distribute malicious PowerShell commands disguised as legitimate management operations
•FortiEndpoint_Patch.exe credential stealer harvests passwords, cookies, and autofill data from Chromium and Gecko browsers
•Single EMS compromise enables threat actors to push malicious commands to all managed endpoints without individual intrusion paths
•Stolen data is exfiltrated to attacker infrastructure via Base64-encoded PowerShell script

Related Articles