{"id":237959,"date":"2026-05-29T06:11:13","date_gmt":"2026-05-29T11:11:13","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/05\/threat-actors-exploit-critical-forticlient-ems-flaw-to-deploy-credential-stealer"},"modified":"2026-05-29T06:11:13","modified_gmt":"2026-05-29T11:11:13","slug":"threat-actors-exploit-critical-forticlient-ems-flaw-to-deploy-credential-stealer","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/05\/threat-actors-exploit-critical-forticlient-ems-flaw-to-deploy-credential-stealer","title":{"rendered":"Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/threat-actors-exploit-critical-forticlient-ems-flaw-to-deploy-credential-stealer2.jpg\"><\/a><\/p>\n<p>Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware.<\/p>\n<p>\u201cThe campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints,\u201d Arctic Wolf <a href=\"https:\/\/arcticwolf.com\/resources\/blog\/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch\/\">said<\/a>. \u201cThreat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell.\u201d<\/p>\n<p>The activity, observed by the cybersecurity company in May 2026, involves the exploitation of <a href=\"https:\/\/thehackernews.com\/2026\/04\/fortinet-patches-actively-exploited-cve.html\">CVE-2026\u201335616<\/a> (CVSS score: 9.1), a critical pre-authentication API access bypass leading to privilege escalation. The issue was addressed by Fortinet in FortiClient EMS 7.4.7 and later.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware. \u201cThe campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints,\u201d Arctic Wolf said. \u201cThreat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-237959","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/237959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=237959"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/237959\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=237959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=237959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=237959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}