This paper introduces a novel poisoning attack called PoisonFRS for federated recommender systems (FedRecs), which uses fake users to promote a targeted item without requiring knowledge of genuine user data or server aggregation rules. Unlike existing attacks that rely on user data or item popularity, PoisonFRS only needs item embeddings from the server. The attack involves selecting popular items based on server-provided embeddings, constructing a target model, and sending crafted model updates to the server to influence the global model. The fake users do not have local training data and are not required to generate synthetic data. The attack is effective across various aggregation rules, including FedAvg, median, trimmed-mean, Clip, Krum, and HiCS. Experiments on real-world datasets show that PoisonFRS can significantly promote the targeted item to a large fraction of genuine users with a small proportion of fake users. The model updates from genuine and fake users are indistinguishable in the latent space, making the attack difficult to detect. The attack is practical in real-world scenarios, as it does not require access to local training data or user attributes. The results demonstrate that PoisonFRS outperforms existing attacks in promoting targeted items, even with a low proportion of fake users. The attack is robust against various defense mechanisms, including Byzantine-robust aggregation rules. The study highlights the vulnerability of FedRecs to poisoning attacks and the need for effective defense strategies.This paper introduces a novel poisoning attack called PoisonFRS for federated recommender systems (FedRecs), which uses fake users to promote a targeted item without requiring knowledge of genuine user data or server aggregation rules. Unlike existing attacks that rely on user data or item popularity, PoisonFRS only needs item embeddings from the server. The attack involves selecting popular items based on server-provided embeddings, constructing a target model, and sending crafted model updates to the server to influence the global model. The fake users do not have local training data and are not required to generate synthetic data. The attack is effective across various aggregation rules, including FedAvg, median, trimmed-mean, Clip, Krum, and HiCS. Experiments on real-world datasets show that PoisonFRS can significantly promote the targeted item to a large fraction of genuine users with a small proportion of fake users. The model updates from genuine and fake users are indistinguishable in the latent space, making the attack difficult to detect. The attack is practical in real-world scenarios, as it does not require access to local training data or user attributes. The results demonstrate that PoisonFRS outperforms existing attacks in promoting targeted items, even with a low proportion of fake users. The attack is robust against various defense mechanisms, including Byzantine-robust aggregation rules. The study highlights the vulnerability of FedRecs to poisoning attacks and the need for effective defense strategies.