Active Exploitation of FortiClient EMS: Detecting the 'Trusted' Credential Stealer
Just came across the latest report regarding threat actors actively exploiting a critical RCE vulnerability in FortiClient EMS (CVE-2026-2213). According to Arctic Wolf, the attackers are abusing the trusted infrastructure to deploy a credential stealer, cleverly disguising the payload as a legitimate Fortinet endpoint component.
The scary part here is the abuse of trust. Since the EMS server pushes updates to agents, a compromised management server becomes a perfect malware distribution system. The payload is masquerading as a core Fortinet process, which might bypass basic heuristics if you rely solely on file reputation.
For those running EMS, ensure you are patched to the latest build immediately. I've whipped up a quick KQL query to help hunt for suspicious child processes spawned by the EMS service on your management servers:
DeviceProcessEvents
| where Timestamp > ago(3d)
| where InitiatingProcessFileName == "FortiClientEMS.exe" or InitiatingProcessFolderPath contains @"Fortinet\FortiClient EMS"
// Filter out known legitimate child processes
| where FileName !in~ ("java.exe", "cmd.exe", "powershell.exe", "conhost.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, AccountName
If you are on-prem, you can also run a quick check to see if your version is vulnerable:
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*FortiClient EMS*" } | Select-Object Name, Version
Has anyone seen attempts against their internet-facing EMS consoles yet? I'm curious if standard WAF rules are blocking the exploit attempts effectively or if this is strictly an authenticated access issue.
Great post. We've been hunting this for a few hours. The trickiest part is that the payload is signed or masquerades so well that it bypasses our standard allow-listing for the EMS directory.
We implemented a Sigma rule based on the parent-child relationship you mentioned. Additionally, check for unexpected outbound SMB connections from the EMS server; the stealer seems to try to move laterally to domain controllers using harvested credentials.
Patching EMS is always a headache for us because it breaks the agent connectivity for a few minutes during the upgrade. In the meantime, we've blocked external access to the EMS management ports (80/443) at the firewall level and are forcing VPN access for management.
It's not a fix, but it reduces the attack surface while we schedule the maintenance windows for our 50+ instances.
From a pentest perspective, this is a gold mine for attackers. If you get access to the EMS, you effectively own the whole fleet without touching the endpoints directly.
Make sure to check the C:\Program Files (x86)\Fortinet\FortiClient EMS\uploads or similar temp directories. In the cases I've analyzed, the dropper lingers there even after execution. Hash everything in that folder against VirusTotal.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access