API authentication and authorization bypass
Summary
CVSSv3 Score: 9.1 An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6, by following the instructio…
CISA Known Exploited Vulnerability
- Listed:
- Apr 6, 2026 · federal remediation due Apr 9, 2026
- Required action:
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Ransomware use:
- Unknown
KEV is a prioritization signal from CISA — remediation detail still comes from the vendor advisory.
- FortiClientEMS 7.4: 7.4.5 through 7.4.6
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
- FortiClientEMS 7.4: 7.4.7
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Mitigation checklist
- Upgrade per the Affected/Solution table: FortiClientEMS 7.4: 7.4.7.
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.