FortiClient EMS Abuse Shows Why Management Planes Are Credential-Theft Surface

The Management Channel Becomes the Delivery Channel

The FortiClient EMS campaign is a useful reminder that the boundary between phishing response, endpoint management, and identity defense is gone. Arctic Wolf reported that threat actors exploited CVE-2026-35616 against FortiClient Endpoint Management Server deployments and then used the management path itself to deliver a credential stealer to managed endpoints. The payload was presented as a Fortinet endpoint patch, which matters because the attack borrowed the trust already assigned to software distribution and remote access administration.

That changes how defenders should brief the incident. This is not a generic user clicked a bad attachment story. It is a post-exploitation distribution story where a compromised management plane can make malicious execution look like normal endpoint operations. If a security team only searches for phishing emails or suspicious downloads, it may miss the part where trusted infrastructure delivered the payload after the original foothold.

Why EKZ Raises the Identity Stakes

The payload Arctic Wolf named EKZ Infostealer focused on browser-resident value: credentials, cookies, and other saved data from Chromium and Firefox-family browsers. That target set is exactly why infostealers remain so useful after MFA adoption. Passwords still matter, but cookies and saved browser state can give an attacker authenticated reach into SaaS, internal web applications, and cloud consoles without replaying the original login ceremony.

In the observed flow, FortiClient components launched command scripts that invoked PowerShell, downloaded the executable, and staged harvested data for exfiltration. That process lineage is the defensive gift inside an ugly incident. The signal is not only the malware hash. It is FortiClient-adjacent script execution, hidden or encoded PowerShell, unexpected remote access profile changes, and EMS logs that show certificate or fabric-device anomalies close to configuration updates.

The risk expands across every endpoint that trusts the management server. Once the management plane is modified, the attacker does not need to compromise each workstation one by one. A single privileged pathway can become a fleet-wide delivery rail, and the resulting browser data can fuel account takeover far beyond the original endpoint estate.

Detection Starts Before the Binary

The cleanest response starts at the EMS management plane. Patch the affected FortiClient EMS versions, restrict access to the EMS management port to trusted administrative networks, and review whether the service is reachable from places it should never be reachable from. Then audit Remote Access Profile settings, endpoint policies, script directives, and any configuration change that would cause endpoint-side execution on VPN connection.

Endpoint hunts should look for PowerShell execution under FortiClient-related parents such as `fortitray.exe` or `ipsec.exe`, especially when the command path includes FortiClient trace script directories. The exact indicator set will age quickly, but the behavior is durable: management client launches script, script launches PowerShell, PowerShell retrieves a binary, binary touches browser credential stores, and output appears in common staging locations.

Identity teams should join the same incident bridge. Browser credentials and cookies make this a session-containment problem as much as an endpoint cleanup problem. Reset affected credentials, revoke sessions for exposed users, review conditional access and impossible-travel alerts, and assume that cloud activity after endpoint compromise may be the second phase rather than an unrelated alert.

The Defender Lesson

This campaign sits in the same strategic bucket as phishing that abuses RMM tools, fake software updates, and developer package compromise: the attacker wants a trusted operational channel to do the thing the user or endpoint would normally permit. The lure may start the story, but the trusted channel scales it.

Security teams should inventory management planes with the same urgency they bring to identity providers. Who can reach them, who can change them, what scripts can they push, what logs prove a legitimate administrator made the change, and what telemetry follows the change onto endpoints? Those questions are not compliance trivia. They are the difference between one compromised service and a credential-theft campaign riding your own administration fabric.