Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Threat actors continue exploiting a critical vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) to distribute credential-stealing malware, even after patches became available. Arctic Wolf researchers documented the campaign, which abuses the legitimate endpoint management infrastructure to deliver payloads across managed systems.

The attack chain leverages the compromised EMS to disguise malicious credential stealer code as legitimate Fortinet software. This approach bypasses traditional security controls since the malware travels through trusted management channels that organizations typically whitelist. Attackers gain initial access by exploiting the unpatched vulnerability in EMS instances, then pivot to deployed endpoints under management control.

The risk to organizations runs deep. Compromised credentials harvested from managed endpoints create cascading breach potential across corporate networks. Attackers obtain valid authentication tokens for systems already trusted by the organization's infrastructure. This eliminates the need for brute-force attacks or external command-and-control callbacks that detection systems typically flag.

FortiClient EMS serves thousands of enterprises managing distributed workforces. The centralized nature of endpoint management means a single compromised server can expose hundreds or thousands of connected devices simultaneously. Organizations running unpatched instances face active exploitation risk.

Mitigation requires immediate action. Organizations must patch FortiClient EMS instances to the latest version without delay. Network administrators should assume any unpatched EMS deployment may be compromised and conduct forensic reviews of endpoint activity logs. Credential rotation for accounts with access to the EMS infrastructure itself prevents attackers from maintaining persistence after patches deploy.

The persistence of this campaign despite available patches indicates attackers target organizations with delayed patching cycles. Security teams should prioritize EMS updates in their patch management schedules, treating this vulnerability as requiring emergency deployment timelines. Monitoring for suspicious credential usage tied to endpoints managed by EMS deployments provides additional detection opportunities for active intrusions.