Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Across Managed Endpoints
What Happened — Threat actors leveraged a critical vulnerability in FortiClient Endpoint Management Server (EMS) to push a credential‑stealing payload to devices under its control. The campaign masqueraded the malware as a legitimate Fortinet component, allowing wide‑scale theft of user credentials before Fortinet released a patch.
Why It Matters for TPRM —
- A trusted third‑party management platform can become a conduit for credential theft, exposing downstream vendors and customers.
- Unpatched EMS instances may still be present in legacy environments, creating lingering risk.
- Credential compromise can cascade into broader supply‑chain attacks, affecting multiple business units.
Who Is Affected — Enterprises across all sectors that deploy FortiClient EMS for endpoint management, especially those in finance, healthcare, education, and government that rely on Fortinet for remote‑work security.
Recommended Actions —
- Verify that all FortiClient EMS deployments are upgraded to the latest patched version.
- Conduct an inventory of EMS endpoints and confirm de‑registration of any unmanaged or obsolete agents.
- Implement credential‑monitoring alerts for anomalous log‑ins originating from managed devices.
- Review third‑party access controls and segment EMS traffic from critical business networks.
Technical Notes — The exploit abused trusted endpoint‑management infrastructure (third‑party dependency) to deliver malware, effectively turning the EMS server into a delivery mechanism. The vulnerability was classified as critical (CVSS 9.8) and has been assigned CVE‑2026‑XXXX (patched in FortiOS 7.4.5). The payload harvested Windows domain credentials, browser passwords, and saved SSH keys. Source: The Hacker News