What CVE-2026-35616 Is and Why It Matters
CVE-2026-35616 is a critical FortiClient EMS vulnerability that allows unauthenticated attackers to bypass API access controls, gain elevated privileges, and use trusted endpoint management channels to deliver credential-stealing malware disguised as legitimate updates. This flaw turns centralized endpoint management into an attack delivery system, enabling large-scale compromise of managed devices through a single EMS foothold. Arctic Wolf observed active exploitation of this FortiClient EMS vulnerability in May 2026, rating it a CVSS 9.1 pre-authentication API access bypass. Once inside, attackers operate in a privileged EMS context and no longer need separate intrusion paths to each endpoint. That makes the CVE-2026-35616 exploit especially dangerous for organizations that depend on FortiClient for centralized endpoint management, as a single EMS compromise can cascade into a broad endpoint security breach and mass credential exposure.
How Threat Actors Turn EMS into a Fake Update Delivery Channel
The observed campaign shows attackers abusing FortiClient EMS to push fraudulent updates that hide credential stealer malware. After exploiting CVE-2026-35616, they modify EMS configurations to defer firmware upgrade reminders and alter Remote Access Profile and endpoint policies. These changes insert malicious scripts into legitimate management workflows, so the activity resembles standard operations. According to Arctic Wolf, “threat actors used FortiClient's own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations.” The executable deployed, FortiEndpoint_Patch.exe, masquerades as an authentic Fortinet endpoint update. In practice, it is an unreported Windows information stealer planted through trusted update mechanisms. By embedding the payload in what appears to be a normal FortiClient update, attackers exploit user and administrator trust, sharply increasing the success rate of the fake update delivery method.
Inside the Attack Chain: PowerShell, fortitray.exe, and Credential Theft
Once EMS is under attacker control, the execution chain relies on native FortiClient components and PowerShell. The attack uses fortitray.exe, a legitimate FortiClient executable, to launch a .cmd script through cmd.exe. That script invokes a Base64-encoded PowerShell command which downloads FortiEndpoint_Patch.exe, runs it, and manages data exfiltration. The credential stealer focuses on Chromium- and Gecko-based browsers, harvesting passwords, cookies, and autofill details such as credit card information, addresses, and phone numbers. Collected data is written to a log file in the ProgramData directory. The stealer itself does not exfiltrate data over the network; instead, the PowerShell script sends the captured information via HTTP POST to attacker infrastructure at 83.138.53[.]110. Session cookies and saved credentials create high-value follow-on access, enabling threat actors to log into cloud services and internal applications, sometimes bypassing multi-factor prompts through session reuse.
Detecting CVE-2026-35616 Exploitation in Enterprise Environments
Enterprise security teams need to treat FortiClient EMS as a high-sensitivity asset and watch for abnormal management behavior. Key detection opportunities include unusual modifications to Remote Access Profiles, unexpected changes to endpoint policy scripts, and sudden suppression or deferral of firmware upgrade reminders. These changes may indicate that attackers are preparing EMS-managed endpoints for malicious script delivery. Endpoint and SIEM telemetry should focus on PowerShell activity initiated by fortitray.exe or other FortiClient processes, especially when PowerShell is decoded from Base64 or contacts suspicious IP addresses, including 83.138.53[.]110. Security teams should flag new or renamed executables such as FortiEndpoint_Patch.exe appearing across multiple managed devices. Centralized logging of EMS administrative actions, configuration changes, and API calls is important for identifying abuse of the API access bypass and reconstructing the CVE-2026-35616 exploit path during incident response.
Immediate Remediation and Long-Term Hardening for FortiClient EMS
Mitigation starts with patching. Organizations should upgrade FortiClient EMS to version 7.4.7 or later, where Fortinet has addressed the CVE-2026-35616 exploit. Treat EMS as a critical control point: restrict network access to the EMS interface, enforce strong authentication, and closely limit who can modify endpoint policies and Remote Access Profiles. Regularly review EMS configurations to confirm no unapproved scripts or update tasks have been added. For compromised environments, responders should assume all EMS-managed endpoints are potential victims. Perform wide-scale sweeps for FortiEndpoint_Patch.exe, suspicious .cmd files, and related PowerShell artifacts, and reset exposed credentials for affected users and browser profiles. Strengthen monitoring for credential stealer malware indicators and endpoint security breach patterns. Long term, integrate EMS activity into your security monitoring strategy so that abuse of trusted management pathways is detected quickly, preventing future credential theft campaigns through FortiClient EMS.