An Improper Access Control vulnerability (CWE-284) in FortiClient EMS allows unauthenticated attackers to execute arbitrary code via crafted API requests, with a CVSSv3 score of 9.1. The vulnerability is actively exploited and affects FortiClient EMS versions 7.4.5 and 7.4.6. Fortinet provides hotfixes for these versions and advises applying them immediately; the upcoming version 7.4.7 will also contain the fix.
CVSSv3 Score: 9.1 An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6, by following the instructions at:https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 - for FortiClientEMS 7.4.5https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 - for FortiClientEMS 7.4.6Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime the hotfix above is sufficient to prevent it entirely. Revised on 2026-04-04 00:00:00