CVE-2026-35616 — a critical pre‑authentication API bypass with a CVSS score of 9.1 — has been weaponized to turn trusted FortiClient Endpoint Management Server (EMS) infrastructure into a delivery channel for a new credential‑stealing campaign, Arctic Wolf reported after observing activity in May 2026.
CVE-2026-35616 and the FortiClient EMS patch
The vulnerability, tracked as CVE-2026-35616, permits pre‑authentication API access bypass that can lead to privilege escalation. Fortinet addressed the issue in FortiClient EMS 7.4.7 and later. Arctic Wolf characterized the flaw as the pivot point that allowed attackers to interact with EMS in a privileged context and alter management configurations.
How the campaign abused endpoint management
"The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints," Arctic Wolf said. According to the company, once adversaries exploited the API bypass they modified EMS configurations — including deferring firmware upgrade reminders, changing a Remote Access Profile, and altering an endpoint policy — to insert malicious scripts for execution on managed devices.
"By bypassing API authentication and interacting with EMS functionality in a privileged context, threat actors were able to modify management configuration and push malicious scripts for execution on managed endpoints," Arctic Wolf said. The observed pattern, Arctic Wolf added, resembled legitimate management activity pushed through FortiClient's own pathways: "The observed execution pattern suggests that threat actors used FortiClient's own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations."
Delivery, execution and exfiltration: fortitray.exe, .cmd and a Base64 PowerShell loader
The payload chain impersonated a Fortinet update. A file named "FortiEndpoint_Patch.exe" masqueraded as a legitimate update but is a previously unreported Windows information stealer capable of harvesting passwords, cookies, and autofill details — including credit card information, addresses, and phone numbers — from Chromium‑ and Gecko‑based browsers.
Attackers leveraged the legitimate FortiClient executable "fortitray.exe" to launch a .cmd script via "cmd.exe." That .cmd file invoked a Base64‑encoded PowerShell script which downloaded the malicious stealer, executed it, and then exfiltrated the captured material. Arctic Wolf noted that the stealer itself writes harvested data to a log file saved under the ProgramData directory but lacks its own network exfiltration; the PowerShell loader is responsible for transmitting the data to attacker infrastructure at 83.138.53[.]110 via an HTTP POST request.
"Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell," Arctic Wolf said.
Configuration changes broadened reach across managed endpoints
Because the attackers altered EMS‑managed configurations, each managed endpoint became a potential execution target without a separate intrusion into each device. "Once the threat actors had a route to modify EMS‑managed configuration, every managed endpoint became a potential execution target without requiring a separate intrusion path to each device," Arctic Wolf said. In practice, that meant the adversary used a single privileged control point — the compromised EMS instance — to deliver PowerShell commands and payloads at scale.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: Verify EMS deployment versions and prioritize upgrades to FortiClient EMS 7.4.7 or later; monitor for changes to Remote Access Profile settings, endpoint policies, deferred firmware reminders, unexpected calls to fortitray.exe followed by cmd.exe, and Base64‑encoded PowerShell activity that reaches out to 83.138.53[.]110.
- Affected enterprises and procurement leaders: Treat EMS‑level controls and update mechanisms as high‑impact assets — audit EMS configuration change history and ProgramData for unexpected log files, and review whether management workflows allow unauthenticated API changes that could be abused.
- End users: Be aware that harvested session cookies and saved browser credentials can provide "follow‑on access to cloud services, internal applications, and other authenticated resources, including cases where session reuse may circumvent MFA prompts," Arctic Wolf said — meaning stolen browser data can enable access beyond password reuse alone.
The campaign underscores a simple, troubling fact: trusted management channels are an attractive vector. Fortinet issued mitigations in FortiClient EMS 7.4.7 and later; organizations running EMS should confirm their versions and audit management configurations for the indicators described above. Arctic Wolf's analysis ties the successful exploitation to both the vulnerability and the operational choice to treat EMS as a singular control plane — a combination that turned a software update workflow into an automated distribution mechanism for a credential stealer.



