Threat actors are actively exploiting a critical vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) platform to distribute credential-stealing malware across enterprise environments, according to a new report from Arctic Wolf.
The flaw, tracked as CVE-2026-35616, was patched by Fortinet some time ago. Yet organizations that have not yet applied the fix remain exposed, and attackers are taking full advantage of the resulting patch gap to compromise networks at scale.
Fake Updates as the Delivery Mechanism
What makes this campaign particularly dangerous is how it exploits the trust relationship between management infrastructure and the endpoints it oversees. The attackers used the compromised FortiClient EMS to push bogus software updates to managed devices — updates that appeared routine and legitimate but in fact carried a credential-stealing payload.
By disguising malware as a standard update distributed through a trusted management channel, the threat actors ensured their payload would bypass much of the scrutiny that security teams typically apply to unsolicited downloads or email attachments. Endpoints enrolled in the affected EMS instance had no reason to reject what looked like a routine update from their own management server.
"The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints," Arctic Wolf noted in its disclosure, underscoring how the update mechanism was weaponized to maximize infection rates.
The Patch Gap Problem
The incident is a stark reminder of the risks posed by delayed patching, particularly for management-plane systems. Unlike a single endpoint vulnerability, a flaw in an enterprise management platform can serve as a springboard for network-wide compromise. Once an attacker gains control of the infrastructure responsible for deploying software and configurations to every managed device, the blast radius extends to the entire fleet.
Security researchers have long warned that management and orchestration platforms represent high-value targets precisely because of this leverage. A single exploitation of CVE-2026-35616 gave attackers the ability to distribute malicious payloads to potentially every endpoint enrolled in the affected EMS instance — all through a channel those endpoints were configured to trust.
Credential Theft as a Strategic Objective
The choice to deploy a credential stealer is a tactically significant one. Stolen credentials are among the most versatile assets in an attacker's toolkit — they enable lateral movement within a network, facilitate privilege escalation, and can be monetized on underground markets. Security analysts frequently treat credential-stealing campaigns as precursors to more damaging follow-on activity, including ransomware deployment and data exfiltration.
For organizations running FortiClient EMS, the implications extend beyond the immediate malware infection. Any credentials harvested during this campaign could be used to penetrate deeper into the victim's environment long after the original vulnerability is patched.
Mitigation Steps
Organizations using FortiClient EMS should immediately verify that CVE-2026-35616 has been patched on all instances. Where the patch has not yet been applied, prioritizing its deployment is critical given the active exploitation confirmed by Arctic Wolf. Security teams should also conduct forensic sweeps of managed endpoints for signs of the credential stealer and review authentication logs for any anomalous activity that could indicate stolen credentials are already being leveraged. As a precautionary measure, rotating credentials — especially for privileged accounts managed through or accessible to affected EMS servers — is strongly advised.
The broader lesson for IT and security professionals is clear: patching management-plane infrastructure should never be treated as a lower priority than patching endpoints themselves. When the management tool becomes the attack surface, every device it touches is at risk.
根據Arctic Wolf的一份新報告,威脅行為者正在積極利用Fortinet旗下FortiClient端點管理伺服器(EMS)平台中的一個嚴重漏洞,透過虛假軟件更新在企業環境中散播竊取憑證的惡意軟件。
該漏洞編號為CVE-2026-35616,Fortinet此前已發布修補程式。然而,尚未安裝修補程式的機構仍然暴露在風險之中,攻擊者正充分利用由此產生的修補缺口,對網絡進行大規模入侵。
以虛假更新作為傳遞機制
此次攻擊行動的危險性在於其利用了管理基礎設施與其所管轄端點之間的信任關係。攻擊者利用被入侵的FortiClient EMS向受管設備推送虛假的軟件更新——這些更新看似例行且合法,但實際上內藏竊取憑證的有效載荷。
透過將惡意軟件偽裝成經由受信任管理渠道分發的標準更新,威脅行為者確保了其有效載荷能繞過安全團隊通常對未經請求的下載或電郵附件所施加的大部分審查。註冊於受影響EMS實例中的端點,沒有理由拒絕這看似來自自身管理伺服器的例行更新。
Arctic Wolf在披露中指出:「此攻擊行動濫用受信任的端點管理基礎設施,在受管端點中傳遞惡意軟件。」這凸顯了更新機制如何被武器化以最大化感染率。
修補缺口的問題
這起事件鮮明地提醒我們延遲修補漏洞所帶來的風險,特別是對於管理平面系統而言。與單一端點漏洞不同,企業管理平台中的缺陷可能成為網絡全面淪陷的跳板。一旦攻擊者掌控了負責向所有受管設備部署軟件及配置的基礎設施,其破壞範圍將擴展至整個設備群。
安全研究人員早已警告,管理與編排平台正是因其具備此類槓桿效應,而成為高價值攻擊目標。在本案例中,單一次CVE-2026-35616漏洞的利用,便賦予了攻擊者向受影響EMS實例中註冊的潛在所有端點分發惡意載荷的能力——而且是透過這些端點被設定為信任的渠道進行。
竊取憑證作為戰略目標
選擇部署竊取憑證程式具有重要戰術意義。被盜取的憑證是攻擊者工具包中最通用的資產之一——它們能實現網絡內的橫向移動、助長權限提升,並可在地下市場獲利。安全分析師通常將竊取憑證的攻擊行動視為後續更具破壞性活動的前兆,包括勒索軟件部署及數據滲出。
對於運行FortiClient EMS的機構而言,其影響遠不止於直接的惡意軟件感染。在此攻擊行動期間被竊取的任何憑證,可能在原始漏洞修補後很長時間內,仍被用於深入滲透受害者的環境。
緩解措施
使用FortiClient EMS的機構應立即驗證所有實例是否已修補CVE-2026-35616漏洞。鑑於Arctic Wolf已確認存在活躍的漏洞利用行為,若修補程式尚未應用,優先部署此修補程式至關重要。安全團隊還應對受管端點進行取證掃描,尋找竊取憑證程式的跡象,並審查身份驗證日誌,查找可能表明被盜憑證已被使用的異常活動。作為預防措施,強烈建議輪換憑證——特別是通過受影響EMS伺服器管理或可存取的特權帳戶。
對IT及安全專業人員而言,更廣泛的啟示十分明確:修補管理平面基礎設施的優先級絕不應低於修補端點本身。當管理工具成為攻擊面時,它所觸及的每一台設備都面臨風險。