Threat Actors Exploit FortiClient EMS Flaw to Deploy Credential-Stealing Malware
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (AP) — Threat actors have exploited a critical security vulnerability in FortiClient Enterprise Management Server (EMS) to deploy credential-stealing malware across managed endpoints globally. The attack, detected on May 28, 2026, targeted organizations relying on Fortinet's endpoint security solutions, allowing attackers to harvest sensitive data including passwords, browser cookies, and autofill details.
The vulnerability in FortiClient EMS, a central management console used to administer endpoint security policies, enabled unauthorized access to managed devices. Once compromised, the system was used to push malicious payloads to connected endpoints, bypassing standard security protocols. Security researchers identified the breach after detecting unusual network traffic patterns originating from managed servers.
Fortinet has acknowledged the incident and is working to patch the vulnerability. The company stated that the flaw allowed threat actors to execute arbitrary code on the EMS server, which in turn facilitated the distribution of malware to client devices. The attack vector exploited a privilege escalation issue within the management interface, granting attackers administrative control over the network's security infrastructure.
Organizations affected by the breach include enterprises across multiple sectors, though the full scope of the compromise remains unclear. The malware deployed in the attack is designed to exfiltrate credentials and other sensitive information, posing significant risks to corporate data and user privacy. Security experts warn that the stolen data could be used for further attacks, including identity theft and unauthorized access to financial systems.
The incident highlights the growing threat posed by supply chain attacks targeting security software vendors. By compromising a trusted security tool, attackers can gain access to multiple organizations simultaneously, amplifying the impact of the breach. Fortinet has advised customers to apply the latest security patches immediately and to monitor their networks for signs of compromise.
Security analysts are investigating the origin of the attack and the identity of the threat actors involved. Preliminary analysis suggests the group may have sophisticated capabilities, given the precision of the exploit and the scale of the deployment. However, no attribution has been confirmed at this time.
The breach has raised concerns about the security of enterprise management systems and the need for robust patch management practices. Companies are urged to review their security configurations and ensure that all systems are up to date with the latest security updates. The incident also underscores the importance of monitoring network traffic for anomalies that could indicate a breach.
As investigations continue, the focus remains on mitigating the impact of the attack and preventing further exploitation of the vulnerability. Security firms are working with affected organizations to contain the breach and recover compromised data. The full extent of the damage and the number of affected endpoints are still being assessed.