Threat actors exploited CVE-2026-35616, a critical pre-authentication API access bypass with a CVSS score of 9.1, affecting FortiClient Endpoint Management Server deployments. Fortinet addressed the issue in FortiClient EMS 7.4.7 and later. After compromise, attackers used the EMS management pathway to disguise a credential-stealing payload as a Fortinet endpoint update and silently executed it through PowerShell. Attackers modified EMS configurations to defer firmware upgrade reminders and changed Remote Access Profile and endpoint policy settings to insert a malicious script for execution on managed devices. The activity also used fortitray.exe to launch a .cmd script via cmd.exe, which invoked a Base64-encoded PowerShell script to download, run, and exfiltrate results to 83.138.53[.]110 using an HTTP POST request. The payload masqueraded as FortiEndpoint_Patch.exe.
"The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints. Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell."
"A successful compromise is followed by the threat actor taking steps to modify configurations to defer firmware upgrade reminders, as well as modifying a Remote Access Profile configuration and endpoint policy to insert a malicious script for execution on endpoint devices."
"The observed execution pattern suggests that threat actors used FortiClient's own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations. Once the threat actors had a route to modify EMS-managed configuration, every managed endpoint became a potential execution target without requiring a separate intrusion path to each device."
"In addition, the attack has been found to leverage "fortitray.exe," a legitimate executable associated with FortiClient to launch a .cmd script file using "cmd.exe." The .cmd script is designed to invoke a Base64-encoded PowerShell script that, in turn, is responsible for downloading a malicious payload, running it, and exfiltrating the results to "83.138.53[.]110" via an HTTP POST request."
#forticlient-ems #cve-2026-35616 #credential-stealing-malware #powershell #endpoint-management-exploitation
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]