Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

A critical vulnerability in FortiClient Endpoint Management Server (EMS) is being exploited by threat actors to deploy malware that steals credentials. The flaw, which has since been patched, allows attackers to disguise their malicious payload as a legitimate Fortinet endpoint, tricking systems into trusting the malware. As a result, the credential stealer is being delivered across managed endpoints, compromising the security of affected systems. The campaign's use of trusted endpoint management infrastructure to spread malware highlights the potential risks associated with exploiting vulnerabilities in management software. The fact that threat actors are able to disguise their payload as a legitimate Fortinet endpoint¹ underscores the need for organizations to prioritize patching and securing their EMS deployments. This vulnerability exploitation matters to security practitioners because it demonstrates the importance of keeping management software up to date to prevent attackers from using trusted infrastructure to their advantage.