```
Threat actors are actively exploiting a critical, already-patched vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) to distribute credential-stealing malware across managed devices, according to a report by Arctic Wolf published on 29 May 2026.
Trusted Infrastructure Turned Against Its Users
What makes this campaign stand out is not merely the exploit itself, but the method of delivery. By compromising the centralised EMS platform — the very tool organisations rely on to manage and secure their endpoints — attackers effectively weaponised the trust relationship between management server and client. Malicious payloads were disguised as legitimate Fortinet endpoint updates, pushing the credential stealer out through a channel that endpoint devices are configured to trust implicitly.
"Threat actors disguised the credential stealer payload as a Fortinet endpoint update," Arctic Wolf noted in its analysis, adding that the campaign "abused trusted endpoint management infrastructure to deliver malware across managed endpoints."
This approach offers attackers several significant advantages. A compromised management server can push code to every connected endpoint simultaneously, giving the operation a blast radius that individual phishing or drive-by download campaigns simply cannot match. Because the payload arrives through an authorised, trusted channel, it also bypasses user-level suspicion — employees have no reason to question software their security platform is distributing.
A Familiar Pattern
The vulnerability in question, tracked as CVE-2026-35616, is a critical SQL injection flaw in FortiClient EMS carrying a CVSS score of 9.8. Fortinet issued a patch for the issue, yet the continued exploitation underscores a persistent challenge across the industry: the gap between patch availability and deployment remains wide enough for attackers to operate effectively.
Fortinet products have been frequent targets for exploitation campaigns in recent years, with multiple critical vulnerabilities in FortiOS and related platforms appearing in CISA's Known Exploited Vulnerabilities catalogue. The pattern repeats across the broader security appliance landscape — centralised management tools from various vendors, including Ivanti and Citrix, have similarly been targeted once patches are released but before organisations apply them.
Why This Matters for IT Teams
The incident carries a clear operational message: security management infrastructure demands the same — or greater — patching urgency as internet-facing edge devices. Traditional patching hierarchies often prioritise externally exposed systems, while internal management platforms may sit further down the queue. This campaign demonstrates that such a prioritisation can be a costly mistake.
For organisations running FortiClient EMS, the recommended actions are straightforward:
- Patch immediately if running an affected version, applying the latest Fortinet security updates without delay.
- Audit EMS logs for any unexpected or previously unrecognised software distribution events.
- Inspect managed endpoints for indicators of compromise associated with the credential stealer payload.
- Review trust configurations between management servers and endpoints to limit the potential blast radius of any future compromise.
The broader takeaway extends beyond Fortinet. Any platform that acts as a centralised authority for endpoint management inherently concentrates risk. If that authority is subverted, the very mechanisms designed to protect an organisation become the attack vector. Security teams should evaluate whether their management infrastructure is monitored with the same rigour applied to perimeter defences — and whether patching SLAs for these critical internal systems are adequate for the threat landscape they now face.
根據Arctic Wolf於2026年5月29日發布的報告,威脅行為者正在積極利用Fortinet的FortiClient端點管理伺服器(EMS)中一個已修補的嚴重漏洞,用於在受管裝置間傳播竊取憑證的惡意軟件。
信任基礎設施轉而對付用戶
此攻擊活動的突出之處不僅在於漏洞利用本身,更在於其傳播手法。攻擊者通過入侵集中式的EMS平台——即企業用來管理和保護其端點的關鍵工具——有效地將管理伺服器與客戶端之間的信任關係武器化。惡意payload被偽裝成合法的Fortinet端點更新,通過一個端點裝置被設定為預設信任的渠道將竊取憑證的惡意軟件推送出去。
「威脅行為者將竊取憑證的payload偽裝成Fortinet端點更新,」Arctic Wolf在其分析中指出,並補充說該攻擊活動「濫用了受信任的端點管理基礎設施,在受管端點間傳播惡意軟件。」
這種方法為攻擊者提供了幾個顯著優勢。一個被入侵的管理伺服器可以同時向所有連接的端點推送程式碼,使得攻擊的影響範圍遠超單獨的釣魚攻擊或路過式下載攻擊所能達到的規模。由於payload是通過一個被授權的、受信任的渠道送達,它還能繞過用戶層面的警惕性——員工沒有理由質疑其安全平台正在分發的軟件。
一個熟悉的模式
所涉及的漏洞被追蹤為CVE-2026-35616,是FortiClient EMS中的一個嚴重SQL注入漏洞,CVSS評分高達9.8。Fortinet已為此問題發布了修補程式,但持續的漏洞利用凸顯了業界一個長期存在的挑戰:修補程式發布與實際部署之間的差距仍然大到足以讓攻擊者有效運作。
近年來,Fortinet產品一直是漏洞利用攻擊活動的常見目標,FortiOS及相關平台的多個嚴重漏洞已被收錄進CISA的「已知被利用漏洞」目錄中。這一模式在更廣泛的安全設備領域反覆出現——來自Ivanti和Citrix等不同供應商的集中管理工具,同樣在修補程式發布後、企業部署前的空窗期遭到針對。
為何IT團隊需關注此事
此事件傳達了一個明確的運維訊息:安全管理基礎設施需要與面向互聯網的邊緣設備相同(甚至更高)的修補程式部署緊迫性。傳統的修補程式部署優先級通常側重於外部暴露的系統,而內部管理平台可能排在較後的位置。此攻擊活動表明,這樣的優先級排序可能是一個代價高昂的錯誤。
對於運行FortiClient EMS的組織,建議採取的措施是明確的:
- 立即安裝修補程式:如果運行受影響的版本,請毫不拖延地應用最新的Fortinet安全更新。
- 審計EMS日誌:檢查是否有任何意外或先前未識別的軟件分發事件。
- 檢查受管端點:尋找與竊取憑證payload相關的入侵指標。
- 審查信任配置:檢查管理伺服器與端點之間的信任配置,以限制任何未來入侵事件的潛在影響範圍。
更廣泛的啟示超越了Fortinet本身。任何作為端點管理集中授權平台的基礎設施,本質上都集中了風險。如果該權威被顛覆,那些原本設計用來保護組織的機制反而成為了攻擊向量。安全團隊應評估其管理基礎設施是否受到了與邊界防禦同等嚴格的監控,以及這些關鍵內部系統的修補程式服務水平協議(SLA)是否足以應對當前所面臨的威脅態勢。