A credential-stealing Trojan disguised as a routine Fortinet security patch has been hitting enterprise networks, quietly siphoning saved passwords from Chrome and Firefox on corporate workstations. The campaign exploits one of the most trusted channels in corporate IT: the vendor update process itself. Security teams trained to patch fast are instead installing malware that hands attackers the keys to internal applications, cloud platforms, VPNs, and email accounts.
The threat was flagged after the underlying vulnerability appeared in the National Vulnerability Database maintained by the National Institute of Standards and Technology, and was subsequently added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. CISA reserves KEV designation for flaws with confirmed real-world exploitation, not theoretical risk. Federal civilian agencies must remediate KEV-listed vulnerabilities within strict deadlines, and thousands of private-sector organizations use the catalog as their baseline for patch prioritization.
For companies running affected Fortinet product versions, that KEV listing converts a routine advisory into an urgent operational directive.
Why this attack works so well
The campaign’s effectiveness comes from exploiting trust, not just code. Enterprise security teams are drilled to apply vendor patches quickly, especially on firewalls and security appliances where delays can leave networks exposed. Attackers packaged their payload to look like exactly the kind of update an administrator would rush to install.
Once executed, the malware targets the local credential stores in Chrome and Firefox. Those two browsers dominate enterprise desktops, and many employees still rely on built-in password managers to store credentials for dozens of internal and external services. A single compromised workstation can yield login details for SaaS dashboards, corporate email, remote-access VPNs, and cloud infrastructure consoles. Attackers who harvest those credentials gain a foothold that extends far beyond the original infected machine.
The technique is not new, but the delivery vehicle makes it unusually dangerous. Phishing emails carrying malicious attachments trigger suspicion. A file that presents itself as a Fortinet security patch triggers urgency.
Fortinet has been here before
This campaign lands against a backdrop of repeated Fortinet-targeted attacks. In late 2024, CISA issued an emergency directive after threat actors exploited CVE-2024-47575, a critical flaw in FortiManager that researchers dubbed “FortiJump.” That vulnerability allowed unauthenticated remote code execution and was used to exfiltrate configuration data from managed FortiGate devices. Earlier, CVE-2023-27997, a heap-based buffer overflow in FortiOS SSL-VPN, gave attackers pre-authentication remote code execution on internet-facing appliances.
In January 2025, a threat actor leaked configuration files and VPN credentials for over 15,000 FortiGate devices, data believed to have been harvested through earlier, unpatched vulnerabilities. The pattern is clear: Fortinet’s massive global install base makes it a high-value target, and attackers have repeatedly found ways to turn that footprint into an attack surface.
The current campaign adds a social-engineering layer on top of that history. Rather than exploiting a flaw in Fortinet’s code directly, the attackers exploit the brand’s authority and the muscle memory of administrators who associate Fortinet updates with safety.
What is still unknown
Several important details remain unconfirmed in public reporting as of June 2026. The exact distribution method for the fake updates has not been documented in an official Fortinet advisory or a published incident-response report. Two scenarios are plausible: attackers may have compromised a legitimate update channel (a true supply-chain attack), or they may have distributed the malicious files through phishing emails and spoofed download portals designed to mimic Fortinet’s branding. The distinction matters. A supply-chain compromise would require Fortinet to audit its signing and distribution infrastructure. A social-engineering campaign shifts the burden toward endpoint detection and user verification procedures.
The scale of credential theft also lacks public numbers. No disclosure from CISA, Fortinet, or any named victim organization has quantified how many machines were compromised or how many credential sets were exfiltrated. Fortinet products are deployed across industries and continents, so the potential attack surface is broad, but potential exposure is not the same as confirmed compromise.
Attribution is open as well. No government agency or major threat-intelligence firm has publicly named a threat actor or nation-state sponsor behind this campaign. Forensic indicators of compromise, command-and-control infrastructure details, and malware sample analyses may exist in private threat-intelligence channels, but none have appeared in the public record reviewed for this report.
What defenders should do now
The lesson here is not to slow down patching. Delayed patches remain one of the most common entry points for attackers. The lesson is to harden the process around how patches are obtained and verified.
Verify digital signatures before installation. Every legitimate Fortinet update carries a cryptographic signature. Administrators should confirm that signature against Fortinet’s published keys before executing any installer, especially one received outside the normal update workflow.
Download only from official sources. Updates should come directly from Fortinet’s authenticated support portal or through a managed update mechanism already validated by the organization’s security team. Files received via email, third-party repositories, or unfamiliar URLs should be treated as hostile until proven otherwise.
Audit browser credential storage. Organizations should inventory which workstations store passwords in Chrome or Firefox’s built-in managers, particularly on machines used by IT administrators or employees with elevated access. Enterprise password managers with centralized vaulting and monitoring offer significantly better protection against credential-harvesting malware.
Restrict who can install updates on critical systems. Limiting update privileges to a small, trained group reduces the chance that a convincing fake patch gets executed by someone acting on urgency alone.
Monitor for indicators of compromise. Security teams should watch for unusual outbound traffic from endpoints, unexpected browser data access by non-browser processes, and any anomalies in update logs that suggest a file was executed outside the approved patch window.
CISA’s KEV catalog remains the most reliable public signal for prioritizing remediation. Organizations that treat KEV additions as automatic triggers for investigation, not just patching, will be better positioned to catch campaigns like this one before stolen credentials are used for deeper intrusions.
The trust problem that won’t go away
Modern enterprises depend on a dense web of third-party software, hardware, and cloud services. Each vendor maintains its own update mechanism and signing process, and each of those mechanisms is a potential avenue for impersonation. Even when a vendor’s official infrastructure remains uncompromised, attackers can still weaponize the brand recognition and urgency that security patches carry.
This Fortinet-themed campaign is a sharp reminder that the update channel, the one process every security team is told never to skip, can itself become the attack vector. Until more detailed public reporting surfaces, enterprises running Fortinet products should assume exposure is plausible, review their patch histories and credential policies, and prepare to act quickly when additional advisories arrive.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
