FortiClient EMS CVE-2026-35616 exploitation and stealer delivery

Attackers are exploiting **CVE-2026-35616** in **FortiClient Endpoint Management Server (EMS)** to turn a trusted endpoint-management path into a malware delivery channel. In activity observed in **May 2026**, the flaw gave unauthenticated access that led to privileged control over EMS-managed settings, letting adversaries push malicious scripts without separately breaching each endpoint. The intrusion chain used **fortitray.exe**, **cmd.exe**, and a Base64-encoded PowerShell sequence to download and run **FortiEndpoint_Patch.exe**, a disguised credential stealer. Collected browser passwords, cookies, and autofill data were staged locally and then sent by the PowerShell component to **83.138.53[.]110** over HTTP POST. That downstream access matters because compromise of the management server can expand to every managed device attached to the affected EMS deployment. Available material does not identify a threat actor or quantify how many organizations were compromised through the observed activity. **Fortinet** issued an emergency fix for affected **FortiClient EMS 7.4.5** and **7.4.6** deployments and directed customers to move to **7.4.7 or later**. The vulnerability has also been listed in **CISA KEV**, and available exposure tracking noted more than **2,000** internet-accessible EMS instances online, with concentrations reported in the **United States** and **Germany**. Defenders need to treat exposed EMS servers as potential initial compromise points, review management-configuration changes, and hunt for the observed process chain and network destination even after patching.