Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

nsamag May 28, 2026
claude-mythos-ai-10000-high-severity-flaws

What’s new: Threat actors are exploiting a critical vulnerability (CVE-2026-35616, CVSS score: 9.1) in FortiClient Endpoint Management Server (EMS) to deploy credential-stealing malware. The flaw allows pre-authentication API access bypass leading to privilege escalation. The malware is disguised as a legitimate Fortinet update and is executed via PowerShell, affecting managed endpoints without requiring separate intrusion paths.

Who’s affected

Organizations using FortiClient EMS versions prior to 7.4.7 are at risk, as the vulnerability has been actively exploited to deliver malware across managed endpoints.

What to do

  • Update FortiClient EMS to version 7.4.7 or later to mitigate the vulnerability.
  • Monitor managed endpoints for unauthorized changes and suspicious activity.
  • Review and tighten endpoint management configurations to prevent unauthorized script execution.

Sources

Related Posts:

More Stories

laravel-lang-php-packages-compromised-credential-stealer

Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

nsamag May 28, 2026
nsauditor-ai-ee-0-15-3-object-acl-enumeration-boe-short-circuit

NSAuditor AI EE 0.15.3 Closes the 4th and Final S3 Public-Exposure Vector with Object-Level ACL Enumeration and a BucketOwnerEnforced Upstream Short-Circuit

nsamag May 28, 2026
nsauditor-ai-ee-0-15-2-audit-accuracy-calibration-cloudtrail-hardening

NSAuditor AI EE 0.15.x Cumulative — NEW Plugin 1222 Azure Key Vault Deep Auditor (27 → 28), Plus Audit-Accuracy Calibration and CloudTrail Hardening Across 0.15.0, 0.15.1, and 0.15.2

nsamag May 27, 2026

You may have missed

claude-mythos-ai-10000-high-severity-flaws

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

nsamag May 28, 2026
laravel-lang-php-packages-compromised-credential-stealer

Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

nsamag May 28, 2026
nsauditor-ai-ee-0-15-3-object-acl-enumeration-boe-short-circuit

NSAuditor AI EE 0.15.3 Closes the 4th and Final S3 Public-Exposure Vector with Object-Level ACL Enumeration and a BucketOwnerEnforced Upstream Short-Circuit

nsamag May 28, 2026
nsauditor-ai-ee-0-15-2-audit-accuracy-calibration-cloudtrail-hardening

NSAuditor AI EE 0.15.x Cumulative — NEW Plugin 1222 Azure Key Vault Deep Auditor (27 → 28), Plus Audit-Accuracy Calibration and CloudTrail Hardening Across 0.15.0, 0.15.1, and 0.15.2

nsamag May 27, 2026
packagist-supply-chain-attack-8-packages-linux-malware

Malicious npm Package Stole Files From Claude AI User Directory via GitHub

nsamag May 27, 2026