Introduction
Active exploitation of a critical vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) has been detected, with threat actors using it to distribute credential-stealing malware. This campaign specifically abuses the trusted relationship between EMS and managed endpoints to deliver malicious payloads disguised as legitimate Fortinet components. Organizations running FortiClient EMS should immediately assess their exposure and apply patches to prevent credential theft and potential lateral movement.
The attack chain leverages the inherent trust between endpoint management infrastructure and managed systems. By compromising EMS, attackers gain the ability to push arbitrary code to endpoints across the enterprise, significantly amplifying the impact of a single vulnerability. This attack technique is particularly concerning because it bypasses many traditional security controls that trust software distribution from legitimate management servers.
Technical Analysis
FortiClient EMS is used by organizations to centrally manage and monitor FortiClient security agents on endpoints. The critical vulnerability being exploited allows unauthorized code execution, enabling attackers to push malicious payloads to managed endpoints.
Affected Products: FortiClient Endpoint Management Server
Vulnerability: Critical security flaw in EMS (now-patched)
CVSS Score: Not yet publicly rated (assumed Critical based on exploitation activity)
Exploitation Status: Confirmed active exploitation in the wild, with threat actors delivering credential-stealing malware
Attack Chain
- Threat actors identify vulnerable FortiClient EMS instances exposed to the network
- They exploit the critical vulnerability to gain unauthorized code execution
- Malicious code is disguised as a legitimate Fortinet endpoint component
- The payload is pushed to managed endpoints through the trusted EMS channel
- The credential stealer executes on endpoints and harvests credentials
- Exfiltration of stolen credentials to attacker-controlled infrastructure
Exploitation Requirements
- Unpatched FortiClient EMS deployment
- Network access to the EMS management interface
- Exploitation may leverage authentication bypass or valid credentials
Detection & Response
SIGMA Rules
---
title: Suspicious FortiClient Process Execution from Unusual Location
id: 8f4a2b1c-9d3e-4f5a-8b7c-9d1e2f3a4b5c
status: experimental
description: Detects processes with FortiClient-related names executing from unusual directory paths, potentially masquerading as legitimate components
references:
- https://www.fortinet.com
author: Security Arsenal
date: 2026/05/15
tags:
- attack.defense_evasion
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- 'FortiClient'
Image|notcontains:
- '\Program Files\Fortinet\'
- '\Program Files (x86)\Fortinet\'
- '\ProgramData\Fortinet\'
condition: selection
falsepositives:
- Legitimate FortiClient installations in non-standard directories
level: high
---
title: Potential Credential Dumping via Suspicious Tool
id: 7a3b1c2d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects common credential dumping tools that may be deployed via the FortiClient EMS exploit
references:
- https://attack.mitre.org/techniques/T1003/
author: Security Arsenal
date: 2026/05/15
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\procdump.exe'
- '\mimikatz.exe'
- '\rdrleakdiag.exe'
- '\taskmgr.exe'
CommandLine|contains:
- 'lsadump::'
- 'sekurlsa::'
- 'privilege::debug'
- '-ma'
condition: selection
falsepositives:
- Legitimate administrative troubleshooting activities
level: critical
---
title: FortiClient EMS Service Spawning Suspicious Child Process
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the FortiClient EMS service spawning suspicious child processes that may indicate exploitation
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
parent:
ParentImage|contains:
- '\FortiClientEMS\'
- '\Apache24\bin\httpd.exe'
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
CommandLine|contains:
- 'download'
- 'invoke-webrequest'
- 'iex'
- 'base64'
condition: all of parent and selection
falsepositives:
- Legitimate administrative operations via EMS
level: high
KQL (Microsoft Sentinel/Defender)
// Hunt for suspicious FortiClient-related process activity from unusual locations
let SuspiciousFortiProcesses = DeviceProcessEvents
| where FileName has_any ("FortiClient", "FortiClientEMS", "FortiTray")
| where FolderPath !has @'\Program Files\Fortinet'
and FolderPath !has @'\Program Files (x86)\Fortinet'
and FolderPath !has @'\ProgramData\Fortinet'
| project Timestamp, DeviceName, FileName, ProcessCommandLine, FolderPath, AccountName, SHA256, InitiatingProcessAccountName;
SuspiciousFortiProcesses
// Hunt for credential dumping behavior that may be post-exploitation activity
let CredentialDumping = DeviceProcessEvents
| where FileName in~ ("procdump.exe", "mimikatz.exe", "rdrleakdiag.exe", "taskmgr.exe")
| where ProcessCommandLine has_any ("lsadump::", "sekurlsa::", "privilege::debug", " -ma ")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName, SHA256;
CredentialDumping
// Hunt for unusual network connections from FortiClient EMS to non-Fortinet endpoints
let UnusualEMSConnections = DeviceNetworkEvents
| where InitiatingProcessFileName has "FortiClientEMS" or InitiatingProcessFileName has "httpd.exe"
| where RemoteUrl !contains "fortinet.com" and RemoteUrl !contains "fortiguard.com"
| where RemotePort != 443 and RemotePort != 80
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256, RemoteUrl, RemotePort, RemoteIP, BytesReceived, BytesSent;
UnusualEMSConnections
// Hunt for file creation in FortiClient directories by unusual processes
let SuspiciousFileCreation = DeviceFileEvents
| whereFolderPath has @'\Fortinet'
| where InitiatingProcessFileName !has "FortiClient"
and InitiatingProcessAccountName != "SYSTEM"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessAccountName, SHA256;
SuspiciousFileCreation
Velociraptor VQL
-- Hunt for suspicious FortiClient-related processes executing from non-standard paths
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'FortiClient'
AND NOT Exe =~ '(C:\\Program Files|C:\\Program Files \(x86\)|C:\\ProgramData)\\Fortinet'
-- Hunt for credential dumping tools that may be deployed via this exploit
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ '(procdump|mimikatz|rdrleakdiag)'
OR CommandLine =~ '(lsadump::|sekurlsa::|privilege::debug)'
-- Hunt for suspicious files in FortiClient directories created by non-system processes
SELECT FullPath, Size, Mtime, Atime, Btime, Mode
FROM glob(globs='C:\\ProgramData\\Fortinet\\**\\*', globs='C:\\Program Files\\Fortinet\\**\\*')
WHERE NOT Btime < '2026-05-01' -- Files created recently
Remediation Script (PowerShell)
# Function to check FortiClient EMS version and vulnerability status
function Check-FortiClientEMSVersion {
$registryPaths = @(
"HKLM:\SOFTWARE\Fortinet\FortiClientEMS",
"HKLM:\SOFTWARE\WOW6432Node\Fortinet\FortiClientEMS"
)
foreach ($registryPath in $registryPaths) {
if (Test-Path $registryPath) {
$version = (Get-ItemProperty -Path $registryPath -ErrorAction SilentlyContinue).Version
if ($version) {
Write-Host "FortiClient EMS Version detected: $version" -ForegroundColor Cyan
# Check against potentially vulnerable versions (update with actual ranges when known)
if ([version]$version -lt [version]"7.2.5") {
Write-Host "WARNING: Potentially vulnerable version detected. Immediate patching required." -ForegroundColor Red
return $false
} else {
Write-Host "Version appears to be patched based on current information." -ForegroundColor Green
return $true
}
}
}
}
Write-Host "FortiClient EMS not found on this system." -ForegroundColor Yellow
return $null
}
# Function to check for suspicious FortiClient processes
function Check-SuspiciousFortiProcesses {
Write-Host "Checking for suspicious FortiClient processes..." -ForegroundColor Cyan
$fortiProcesses = Get-Process -ErrorAction SilentlyContinue | Where-Object {
$_.ProcessName -like "*Forti*" -and $_.Path
}
if ($fortiProcesses) {
$suspiciousFound = $false
foreach ($proc in $fortiProcesses) {
if ($proc.Path -notmatch "(Program Files|ProgramData)\\Fortinet") {
Write-Host "WARNING: Suspicious FortiClient process detected:" -ForegroundColor Red
Write-Host "Process: $($proc.ProcessName), PID: $($proc.Id), Path: $($proc.Path)" -ForegroundColor Red
$suspiciousFound = $true
}
}
if (-not $suspiciousFound) {
Write-Host "No suspicious FortiClient processes detected." -ForegroundColor Green
return $true
}
return $false
} else {
Write-Host "No FortiClient processes found running." -ForegroundColor Yellow
return $true
}
}
# Function to check for credential dumping tools
function Check-CredentialDumpingTools {
Write-Host "Checking for common credential dumping tools..." -ForegroundColor Cyan
$suspiciousTools = @("procdump.exe", "mimikatz.exe", "rdrleakdiag.exe")
$foundTools = @()
foreach ($tool in $suspiciousTools) {
$processes = Get-Process -Name $tool.Replace(".exe", "") -ErrorAction SilentlyContinue
if ($processes) {
$foundTools += $tool
foreach ($proc in $processes) {
Write-Host "WARNING: Credential dumping tool running: $($tool) (PID: $($proc.Id))" -ForegroundColor Red
}
}
}
if ($foundTools.Count -gt 0) {
return $false
} else {
Write-Host "No known credential dumping tools detected." -ForegroundColor Green
return $true
}
}
# Main remediation function
function Invoke-FortiClientEMSRemediation {
Write-Host "============================================================" -ForegroundColor Cyan
Write-Host "FortiClient EMS Vulnerability Assessment and Remediation" -ForegroundColor Cyan
Write-Host "============================================================" -ForegroundColor Cyan
Write-Host ""
$versionStatus = Check-FortiClientEMSVersion
Write-Host ""
$processStatus = Check-SuspiciousFortiProcesses
Write-Host ""
$toolStatus = Check-CredentialDumpingTools
Write-Host ""
Write-Host "============================================================" -ForegroundColor Cyan
Write-Host "Assessment complete." -ForegroundColor Cyan
Write-Host "============================================================" -ForegroundColor Cyan
Write-Host ""
if ($versionStatus -eq $false -or $processStatus -eq $false -or $toolStatus -eq $false) {
Write-Host "REMEDIATION ACTIONS REQUIRED:" -ForegroundColor Red
Write-Host "1. Apply the latest FortiClient EMS patches immediately" -ForegroundColor Red
Write-Host "2. Review all endpoint logs for signs of credential theft" -ForegroundColor Red
Write-Host "3. Rotate potentially compromised credentials" -ForegroundColor Red
Write-Host "4. Rebuild affected endpoints if compromise is confirmed" -ForegroundColor Red
Write-Host "5. Isolate affected systems from the network" -ForegroundColor Red
} else {
Write-Host "No immediate remediation actions required based on this assessment." -ForegroundColor Green
Write-Host "Continue monitoring for suspicious activity." -ForegroundColor Yellow
}
}
# Execute remediation check
Invoke-FortiClientEMSRemediation
Remediation
-
Immediate Patching: Apply the latest security patches for FortiClient EMS immediately. Check the Fortinet advisory for the specific version that addresses this vulnerability. Organizations should prioritize patching of internet-facing EMS instances.
-
Verify Patch Installation: Confirm that all FortiClient EMS instances have been updated to the patched version using the PowerShell script provided or manual verification.
-
Isolate Affected Systems: If compromise is suspected, immediately isolate affected FortiClient EMS servers and potentially compromised managed endpoints from the network to prevent further spread of malicious payloads.
-
Credential Rotation: Assume credentials may have been compromised. Rotate credentials for all accounts that had access to managed endpoints, with special emphasis on privileged accounts and domain administrators.
-
Endpoint Forensics: Conduct thorough forensic analysis on endpoints that may have received malicious payloads. Look for:
- Suspicious processes masquerading as Fortinet components
- Credential dumping tools or evidence of credential theft
- Unusual network connections to external IPs
- Files created in FortiClient directories by non-Fortinet processes
-
Network Monitoring: Implement enhanced monitoring for suspicious network activity from FortiClient EMS servers to detect any post-exploitation behavior, including C2 communication and data exfiltration.
-
Access Controls: Review and restrict administrative access to FortiClient EMS. Implement multi-factor authentication where possible and enforce least-privilege principles.
-
Segregate Management Networks: Consider segregating endpoint management infrastructure from general network traffic to limit potential blast radius if management infrastructure is compromised.
-
Vendor Advisory: Refer to the official Fortinet security advisory for detailed patching instructions and configuration changes: https://www.fortinet.com/support/advisories
-
Reporting: Report confirmed compromises to relevant authorities and consider disclosure to affected stakeholders as required by regulations and organizational policies.
-
Security Controls Review: Evaluate security controls around endpoint management infrastructure. Consider implementing application allowlisting for management servers and enhanced logging of management operations.
-
Incident Response: If compromise is confirmed, activate incident response procedures and consider engaging with third-party forensics experts to ensure thorough investigation and remediation.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.