Threat Actors Exploit FortiClient EMS Vulnerability (CVE-2026-35616) to Distribute Malware

Executive Summary

Threat actors are actively exploiting a critical vulnerability, CVE-2026-35616, in Fortinet's FortiClient Endpoint Management Server (EMS). The vulnerability, with a CVSS score of 9.1, is a pre-authentication API access bypass that allows an unauthenticated attacker to achieve privilege escalation on the EMS server. According to research from Arctic Wolf, attackers are weaponizing this flaw to distribute credential-stealing malware. The attack is particularly insidious as it abuses the trusted management pathway of the EMS itself. By compromising the central server, attackers modify endpoint policies to inject and execute malicious PowerShell scripts on all managed endpoints, turning the security product into a malware deployment platform. Fortinet has addressed the vulnerability in FortiClient EMS version 7.4.7, and immediate patching is strongly recommended.

Vulnerability Details

• CVE ID: CVE-2026-35616
• Product: FortiClient Endpoint Management Server (EMS)
• Affected Versions: Prior to 7.4.7
• CVSS Score: 9.1 (Critical)
• Vulnerability Type: Pre-authentication API Access Bypass leading to Privilege Escalation
• Impact: An unauthenticated, remote attacker can exploit this vulnerability to gain administrative control over the EMS server.

Threat Overview

The active exploitation campaign observed in May 2026 demonstrates a sophisticated abuse of the EMS platform's intended functionality.

• Exploitation: Attackers exploit CVE-2026-35616 to gain unauthorized administrative access to the FortiClient EMS server.
• Defense Evasion: Once on the server, they modify system configurations, such as deferring firmware upgrade reminders, to remain undetected and maintain persistence.
• Malware Distribution: The core of the attack involves altering a Remote Access Profile configuration. The attackers inject a malicious PowerShell script into an endpoint policy.
• Payload Execution: The EMS server, operating as intended, pushes this malicious policy out to all managed endpoints. The endpoints then execute the PowerShell script, which downloads and runs a credential-stealing malware payload disguised as a Fortinet update.

This attack highlights a highly dangerous trend of targeting security and management infrastructure. By compromising the tool used to protect and manage endpoints, attackers can achieve widespread, trusted distribution of their malware, bypassing many traditional security controls.

Technical Analysis

The attack chain leverages the trust relationship between the EMS server and its managed clients.

1. Initial Access: The attacker exploits CVE-2026-35616 against an internet-facing, unpatched FortiClient EMS server. This provides them with privileged access without needing credentials. This aligns with T1190 - Exploit Public-Facing Application.
2. Execution & Persistence: With administrative access, the attacker modifies server and endpoint configurations. This involves using the EMS's legitimate features to schedule the execution of a malicious script. This abuse of legitimate functionality for execution is a form of T1219 - Remote Access Software, where the EMS itself is the remote access tool being abused.
3. Command and Scripting: The use of a malicious PowerShell script pushed via policy is a key part of the attack, mapping to T1059.001 - PowerShell.
4. Impact: The final payload is a credential stealer, indicating the objective is data theft, specifically credentials, which can be used for further lateral movement or to access other systems. This falls under T1003 - OS Credential Dumping.

Impact Assessment

The impact of this attack is severe due to the amplification effect of compromising the EMS.

• Widespread Endpoint Compromise: A single successful exploit against the EMS server can lead to the immediate compromise of every single endpoint managed by it, potentially thousands of machines.
• Credential Theft: The deployed malware steals credentials, which can lead to further breaches of other systems, applications, and data within the organization.
• Loss of Trust in Security Tools: The attack erodes trust in the very tools meant to provide security, creating a challenging situation for incident responders who may not be able to rely on the compromised management platform.

IOCs — Directly from Articles

No specific technical Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams can hunt for signs of a compromised EMS server or endpoints.

Detection & Response

• Detection:
  • Audit Log Review: Regularly audit the FortiClient EMS logs for any configuration changes made outside of planned maintenance windows.
  • PowerShell Logging: Ensure PowerShell Script Block Logging (Event ID 4104) and Module Logging are enabled across all endpoints. This will record the content of executed scripts, allowing for analysis of malicious activity.
  • EDR/XDR: Use an EDR solution to monitor process execution chains. An alert should be triggered if the FortiClient agent spawns a PowerShell process that then makes an external network connection.

Remediation Steps

• Patch Immediately: The most critical step is to upgrade all FortiClient EMS instances to version 7.4.7 or later. This is the primary action for M1051 - Update Software.
• Limit Network Exposure: Do not expose the FortiClient EMS management interface directly to the internet. If remote access is required, place it behind a VPN or a secure access gateway with strict access controls. This aligns with M1035 - Limit Access to Resource Over Network.
• Incident Response: If you suspect a compromise, assume all managed endpoints are also compromised. Initiate a full incident response process, including isolating the EMS server, resetting all potentially compromised credentials, and performing a malware scan on all endpoints.