FortiClient EMS Vulnerability Allows AD Connector Impersonation
A critical flaw in FortiClient EMS enables unauthenticated attackers to impersonate AD Connectors, potentially leading to unauthorized access.

Fortinet has disclosed a significant security vulnerability within its FortiClient Enterprise Management Server (EMS) product, specifically impacting the communication between the AD Connector and the EMS.
The vulnerability, identified as an Improper Certificate Validation flaw (CWE-295), allows a remote, unauthenticated attacker to impersonate a legitimate AD Connector. This impersonation is achievable by leveraging a valid API key, which could be obtained through other means or social engineering.
The CVSSv3 score for this vulnerability is rated at 6.7, classifying it as medium-high severity. While it requires a valid API key, the lack of authentication for the certificate validation itself presents a critical pathway for attackers to gain a foothold within the managed environment.
FortiClient EMS versions 7.4.3 through 7.4.5 and all versions of 7.2 are affected by this vulnerability. Fortinet strongly advises users to upgrade to FortiClient EMS 7.4.6 or a later release to remediate the issue. For users on the 7.2 branch, a migration to a fixed release is recommended.
Fortinet acknowledged Ramn Costales de Ledesma from Telefonica de Espaa for responsibly reporting the vulnerability. The company's PSIRT (Product Security Incident Response Team) published the advisory on July 14, 2026, marking the initial disclosure of this security concern.
This vulnerability highlights the ongoing importance of robust certificate validation mechanisms in enterprise security products. Attackers continuously seek ways to bypass security controls, and flaws in how systems verify the identity of communicating components can lead to significant breaches.
Organizations utilizing FortiClient EMS should prioritize applying the necessary updates to mitigate the risk of impersonation attacks. Failure to do so could expose sensitive network configurations and potentially allow attackers to gain unauthorized access to critical management functions.