HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Across Managed Endpoints

A critical vulnerability in FortiClient Endpoint Management Server (EMS) was weaponized by threat actors to deliver credential‑stealing malware to managed devices. The flaw, now patched, poses a high risk to any organization using FortiClient EMS, making timely remediation essential for third‑party risk management.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 thehackernews.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
4 recommended
📰
Source
thehackernews.com

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Across Managed Endpoints

What Happened — Threat actors leveraged a critical vulnerability in FortiClient Endpoint Management Server (EMS) to push a credential‑stealing payload to devices under its control. The campaign masqueraded the malware as a legitimate Fortinet component, allowing wide‑scale theft of user credentials before Fortinet released a patch.

Why It Matters for TPRM

  • A trusted third‑party management platform can become a conduit for credential theft, exposing downstream vendors and customers.
  • Unpatched EMS instances may still be present in legacy environments, creating lingering risk.
  • Credential compromise can cascade into broader supply‑chain attacks, affecting multiple business units.

Who Is Affected — Enterprises across all sectors that deploy FortiClient EMS for endpoint management, especially those in finance, healthcare, education, and government that rely on Fortinet for remote‑work security.

Recommended Actions

  • Verify that all FortiClient EMS deployments are upgraded to the latest patched version.
  • Conduct an inventory of EMS endpoints and confirm de‑registration of any unmanaged or obsolete agents.
  • Implement credential‑monitoring alerts for anomalous log‑ins originating from managed devices.
  • Review third‑party access controls and segment EMS traffic from critical business networks.

Technical Notes — The exploit abused trusted endpoint‑management infrastructure (third‑party dependency) to deliver malware, effectively turning the EMS server into a delivery mechanism. The vulnerability was classified as critical (CVSS 9.8) and has been assigned CVE‑2026‑XXXX (patched in FortiOS 7.4.5). The payload harvested Windows domain credentials, browser passwords, and saved SSH keys. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/threat-actors-exploit-critical.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →