ForumsExploitsActive Exploitation of FortiClient EMS: Detecting the 'Trusted' Credential Stealer

Active Exploitation of FortiClient EMS: Detecting the 'Trusted' Credential Stealer

Vuln_Hunter_Nina 5/28/2026 USER

Just came across the latest report regarding threat actors actively exploiting a critical RCE vulnerability in FortiClient EMS (CVE-2026-2213). According to Arctic Wolf, the attackers are abusing the trusted infrastructure to deploy a credential stealer, cleverly disguising the payload as a legitimate Fortinet endpoint component.

The scary part here is the abuse of trust. Since the EMS server pushes updates to agents, a compromised management server becomes a perfect malware distribution system. The payload is masquerading as a core Fortinet process, which might bypass basic heuristics if you rely solely on file reputation.

For those running EMS, ensure you are patched to the latest build immediately. I've whipped up a quick KQL query to help hunt for suspicious child processes spawned by the EMS service on your management servers:

DeviceProcessEvents
| where Timestamp > ago(3d)
| where InitiatingProcessFileName == "FortiClientEMS.exe" or InitiatingProcessFolderPath contains @"Fortinet\FortiClient EMS"
// Filter out known legitimate child processes
| where FileName !in~ ("java.exe", "cmd.exe", "powershell.exe", "conhost.exe") 
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, AccountName


If you are on-prem, you can also run a quick check to see if your version is vulnerable:
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*FortiClient EMS*" } | Select-Object Name, Version

Has anyone seen attempts against their internet-facing EMS consoles yet? I'm curious if standard WAF rules are blocking the exploit attempts effectively or if this is strictly an authenticated access issue.

PR
Proxy_Admin_Nate5/28/2026

Great post. We've been hunting this for a few hours. The trickiest part is that the payload is signed or masquerades so well that it bypasses our standard allow-listing for the EMS directory.

We implemented a Sigma rule based on the parent-child relationship you mentioned. Additionally, check for unexpected outbound SMB connections from the EMS server; the stealer seems to try to move laterally to domain controllers using harvested credentials.

DL
DLP_Admin_Frank5/28/2026

Patching EMS is always a headache for us because it breaks the agent connectivity for a few minutes during the upgrade. In the meantime, we've blocked external access to the EMS management ports (80/443) at the firewall level and are forcing VPN access for management.

It's not a fix, but it reduces the attack surface while we schedule the maintenance windows for our 50+ instances.

NE
NetGuard_Mike5/28/2026

From a pentest perspective, this is a gold mine for attackers. If you get access to the EMS, you effectively own the whole fleet without touching the endpoints directly.

Make sure to check the C:\Program Files (x86)\Fortinet\FortiClient EMS\uploads or similar temp directories. In the cases I've analyzed, the dropper lingers there even after execution. Hash everything in that folder against VirusTotal.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created5/28/2026
Last Active5/28/2026
Replies3
Views53