The exploitation of CVE-2026-35616 in FortiClient EMS reveals a maturing attacker tactic: weaponizing enterprise management planes rather than chasing individual endpoints. Arctic Wolf's May 2026 reporting correctly flags the pre-auth API bypass and PowerShell delivery of the FortiEndpoint_Patch stealer via fortitray.exe, yet understates how this mirrors prior management-console compromises such as the 2023 MOVEit and 2024 Ivanti Connect Secure campaigns. Once the EMS server is owned, every managed device becomes an unwitting distribution node without lateral movement, a pattern Fortinet's own PSIRT advisory (FG-IR-26-156) only partially addresses by recommending version 7.4.7+. Mainstream coverage misses the downstream intelligence value: harvested Chromium/Gecko credentials enable session-reuse attacks that bypass MFA, feeding directly into cloud and SaaS persistence. Two additional vectors compound the risk. First, the observed config tampering—disabling upgrade reminders and injecting Remote Access Profiles—creates a durable foothold that survives reboots. Second, the stealer’s lack of native C2 forces reliance on the attacker’s 83.138.53[.]110 drop, creating a detectable but still under-monitored exfil path. Organizations treating endpoint management as a trusted black box are effectively outsourcing their perimeter; the FortiClient incident demonstrates that patch cadence alone is insufficient without immutable logging and anomaly detection on EMS policy changes. This is not an isolated Fortinet problem but evidence that centralized control planes have become high-value targets in the post-SolarWinds era.