FortiClient EMS Flaw Exploited for Credential Theft

Robert Moore · 2026-05-28

Cybersecurity researchers have uncovered an active campaign where threat actors are exploiting a critical vulnerability in FortiClient Endpoint Management Server (EMS) to deploy credential-stealing malware. The flaw, which has since been patched, allowed attackers to abuse trusted endpoint management infrastructure for malicious purposes. According to Arctic Wolf, the campaign leveraged the EMS to deliver malware across managed endpoints. The attackers disguised the credential stealer payload as a legitimate Fortinet endpoint update, making it difficult for security tools to detect. ### How the Attack Works The exploit targets a now-patched vulnerability in FortiClient EMS, which is used by organizations to manage and monitor endpoints. By compromising the server, attackers can push malicious updates to connected devices. This method is particularly dangerous because the malware appears to come from a trusted source. - Attackers gain initial access to the EMS through the unpatched flaw. - They then upload a fake Fortinet endpoint update containing the credential stealer. - The malware is automatically deployed to all managed endpoints, bypassing traditional security checks.  ### Why This Matters This campaign highlights a growing trend of attackers using trusted infrastructure for delivery. By hijacking legitimate management tools, they can evade detection and spread malware quickly. For organizations using FortiClient EMS, this is a stark reminder to apply patches promptly. The stolen credentials can be used for further attacks, including data breaches, ransomware deployment, and lateral movement within networks. The impact can be severe, especially for businesses with sensitive data. ### Protecting Your Environment To defend against such attacks, organizations should take these steps: - Immediately apply the latest FortiClient EMS patch. - Enable multi-factor authentication for all administrative accounts. - Monitor EMS logs for unusual activity, such as unexpected update uploads. - Use endpoint detection and response tools to catch anomalies. - Restrict EMS access to only necessary personnel. ### The Bigger Picture This incident is part of a larger trend where cybercriminals target endpoint management systems. As more companies adopt remote work, the attack surface expands. Fortinet has released a fix, but many organizations may still be vulnerable if they haven't updated. Arctic Wolf's report underscores the need for proactive security measures. Waiting for a breach to happen is no longer an option. Regular patching, employee training, and robust monitoring are essential. ### Final Thoughts The exploitation of FortiClient EMS is a wake-up call for IT teams. Trusted infrastructure can be turned against you if not properly secured. By staying vigilant and applying updates quickly, you can reduce the risk of credential theft and other attacks. Remember, security is an ongoing process. Keep your systems patched, monitor for signs of compromise, and never assume your defenses are enough. The threat landscape evolves daily, and so must your strategy.