FortiClient EMS Flaw Used to Deliver Credential-Stealing Malware
Patch FortiClient EMS immediately to stop credential-stealing attacks.
Apply FortiClient EMS patch immediately.
Summary
Threat actors continue to exploit a critical, now-patched flaw in FortiClient Endpoint Management Server (EMS) to deliver credential-stealing malware. The campaign abuses the trusted endpoint management infrastructure to spread malware across managed endpoints. Arctic Wolf reported that attackers disguised the credential stealer payload as a legitimate Fortinet endpoint update. The exploitation leverages a vulnerability that was patched earlier this year but remains active in the wild.
The attackers use the FortiClient EMS to push malicious code that harvests user credentials from the endpoint. The payload masquerades as a standard Fortinet update, bypassing user scrutiny. Fortinet has released a patch that closes the vulnerability and blocks the malicious update mechanism. Endpoint administrators should verify that the latest EMS patch is installed and monitor for unauthorized update attempts.
Key changes
- FortiClient EMS flaw used to deliver credential-stealing malware
- Attackers disguised payload as legitimate Fortinet update
- Vulnerability was patched earlier but remains exploited
- Fortinet released patch closing the vulnerability and blocking malicious updates
- Administrators should install the latest EMS patch and monitor for unauthorized updates