Close Menu
    What's Hot

    Nearly 2 million Americans are dealing with long-term unemployment

    Iran, Epstein, Space Travel: 5 Takeaways From JD Vance’s Interview With Joe Rogan

    How To Watch the 2026 FIFA World Cup Finals: Spain vs. Argentina

    Facebook X (Twitter) Instagram
    Trending
    • Nearly 2 million Americans are dealing with long-term unemployment
    • Iran, Epstein, Space Travel: 5 Takeaways From JD Vance’s Interview With Joe Rogan
    • How To Watch the 2026 FIFA World Cup Finals: Spain vs. Argentina
    • World Matchplay 2026: How hard is it for Luke Littler to join Michael van Gerwen and Phil Taylor to go back to back at the Winter Gardens? | Darts News
    • Almost Half of House Democrats Vote to End Aid to Israel
    • UK proposes voluntary overnight social media curfew for older teens | Social Media News
    • Hong Kong Police Raid Independent Bookstores and Arrest 5
    • Applied Computing wants to give oil and gas operators an AI model for the entire plant
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

    adminBy adminMay 28, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananMay 28, 2026Vulnerability / Endpoint Security

    Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

    Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware.

    “The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints,” Arctic Wolf said. “Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell.”

    The activity, observed by the cybersecurity company in May 2026, involves the exploitation of CVE-2026-35616 (CVSS score: 9.1), a critical pre-authentication API access bypass leading to privilege escalation. The issue was addressed by Fortinet in FortiClient EMS 7.4.7 and later.

    Cybersecurity

    A successful compromise is followed by the threat actor taking steps to modify configurations to defer firmware upgrade reminders, as well as modifying a Remote Access Profile configuration and endpoint policy to insert a malicious script for execution on endpoint devices.

    “The observed execution pattern suggests that threat actors used FortiClient’s own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations,” Arctic Wolf said.

    “Once the threat actors had a route to modify EMS-managed configuration, every managed endpoint became a potential execution target without requiring a separate intrusion path to each device.”

    In addition, the attack has been found to leverage “fortitray.exe,” a legitimate executable associated with FortiClient to launch a .cmd script file using “cmd.exe.” The .cmd script is designed to invoke a Base64-encoded PowerShell script that, in turn, is responsible for downloading a malicious payload, running it, and exfiltrating the results to “83.138.53[.]110” via an HTTP POST request.

    The executable, named “FortiEndpoint_Patch.exe,” masquerades as an update, but, in reality, is a previously unreported Windows information stealer capable of harvesting sensitive data, such as passwords, cookies, and autofill details such as credit card information, addresses, and phone numbers, from Chromium- and Gecko-based browsers.

    Cybersecurity

    The data is written to a log file and saved to the ProgramData directory. It’s worth noting that the stealer lacks network-based exfiltration capabilities. It’s the PowerShell script that transmits the captured data to the attacker-controlled infrastructure.

    “By bypassing API authentication and interacting with EMS functionality in a privileged context, threat actors were able to modify management configuration and push malicious scripts for execution on managed endpoints,” Arctic Wolf said.

    “Session cookies and saved browser credentials may provide threat actors with follow-on access to cloud services, internal applications, and other authenticated resources, including cases where session reuse may circumvent MFA prompts.”

    actors Credential critical deploy EMS Exploit flaw FortiClient Stealer threat
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleA grim new report shows food insecurity is getting worse in the K-shaped economy
    Next Article A.I. Is Making Scams Hard to Spot. Here’s How to Protect Yourself.
    admin
    • Website

    Related Posts

    148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet

    July 16, 2026

    Closing the Approval Gap in AI-Era Ad Tech

    July 16, 2026

    Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday

    July 15, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Nearly 2 million Americans are dealing with long-term unemployment

    Iran, Epstein, Space Travel: 5 Takeaways From JD Vance’s Interview With Joe Rogan

    How To Watch the 2026 FIFA World Cup Finals: Spain vs. Argentina

    World Matchplay 2026: How hard is it for Luke Littler to join Michael van Gerwen and Phil Taylor to go back to back at the Winter Gardens? | Darts News

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by