Threat actors have seized on a critical vulnerability in Fortinet’s endpoint management software. They use it to push credential-stealing malware straight to thousands of corporate devices at once. The attack chain starts with a single compromised server. It ends with browser data harvested from endpoints across an organization. This isn’t some sophisticated zero-day chain requiring custom tooling. It’s a straightforward abuse of trusted infrastructure. And it’s happening right now. The vulnerability, tracked as CVE-2026-35616, carries a CVSS score of 9.1. It allows unauthenticated attackers to bypass API authentication in FortiClient Endpoint Management Server versions 7.4.5 and 7.4.6. Fortinet patched it in version 7.4.7. Fortinet’s advisory confirmed active exploitation shortly after disclosure in early April 2026. CISA added it to the Known Exploited Vulnerabilities catalog days later. But the story didn’t end with the patch. Arctic Wolf researchers spotted continued activity in May.…