A critical vulnerability in FortiClient Endpoint Management Server, first patched in April, is now being actively exploited to deploy information-stealing malware disguised as a fake Fortinet security update. The flaw, which carries a CVSS score of nine point one and requires no authentication, allows attackers to execute malicious PowerShell commands through FortiClient's own management system, enabling them to steal browser credentials and data from every managed endpoint. CISA has added the vulnerability to its Known Exploited Vulnerabilities list, and organizations are urged to apply Fortinet's patches immediately.