A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
The vulnerability results from improper access control implementation (CWE-284), which does not require the attacker to possess any credentials. An attacker can send specially crafted network requests to the vulnerable FortiClientEMS server, bypassing authentication mechanisms. As a result, arbitrary code or commands can be executed in the context of the application.
An attacker gains the ability to execute code or commands without authorization on the vulnerable system without requiring authentication, which may lead to complete takeover of the FortiClientEMS server and compromise of data confidentiality, integrity, and availability.
Apply patches available from the vendor immediately according to references published by Fortinet at https://fortiguard.fortinet.com/psirt/FG-IR-26-099. Until updates are deployed, it is recommended to restrict access to the FortiClientEMS interface to trusted IP addresses only and implement network segmentation.
Fortinet FortiClientEMS versions 7.4.5 and 7.4.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFortinet Forticlientems
APPFortinet7.4.57.4.6
CISA KEV — detailsi
- Vendori
- Fortinet ↗
- Producti
- FortiClient EMS
- Added to KEVi
- April 6, 2026
- Remediation deadline (US Federal)i
- April 9, 2026(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Related vulnerabilities
SQL Injection w Fortinet FortiClientEMS — nieautoryzowane wykonanie kodu
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89]...
An improper restriction of excessive authentication attempts [CWE-307] in FortiClientEMS version 7.2.0 through...
A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortin...
A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow a...