Fortinet Discloses Critical Authentication Bypass in FortiClient EMS Under Active Exploitation
Fortinet disclosed CVE-2026-XXXX, a critical improper access control vulnerability in FortiClient EMS versions 7.4.5 and 7.4.6, which is being actively exploited in the wild.
Fortinet has disclosed a critical vulnerability in its FortiClient Enterprise Management Server (EMS) that is already being exploited in the wild. Tracked as CVE-2026-XXXX and carrying a CVSS score of 9.1, the flaw is an improper access control vulnerability (CWE-284) that allows an unauthenticated attacker to execute unauthorized code or commands via crafted API requests. The affected versions are FortiClient EMS 7.4.5 and 7.4.6, while version 7.2 and earlier are not impacted.
The vulnerability resides in the EMS API layer, where insufficient authorization checks fail to validate the identity of incoming requests. An attacker who can reach the EMS management interface over the network can send specially crafted API calls to trigger arbitrary code execution or command injection. Because the exploit requires no authentication, the attack surface is broad for any organization that has exposed the EMS management interface to the internet or to untrusted networks.
Fortinet has confirmed that the vulnerability is being actively exploited, though the company has not yet released specific details about the observed attack campaigns. The advisory notes that the issue was reported by Simo Kohonen from Defused and Nguyen Duc Anh under responsible disclosure, and that a hotfix has been released for the affected versions. The upcoming FortiClient EMS 7.4.7 release will also include the permanent fix.
Organizations running FortiClient EMS 7.4.5 or 7.4.6 are urged to upgrade to version 7.4.7 or above immediately. For customers using FortiClient Cloud or FortiSASE, Fortinet states that the issue has already been remediated on the cloud side and no customer action is required. The company also recommends restricting EMS management interface access to trusted IP addresses and networks as a mitigation measure until patching can be completed.
The disclosure comes amid a broader trend of attackers targeting enterprise management servers and endpoint management solutions. FortiClient EMS is widely deployed in enterprise environments to manage endpoint security policies, making it a high-value target for threat actors seeking to gain a foothold inside corporate networks. The active exploitation of this vulnerability underscores the urgency for administrators to prioritize patching.
Fortinet has not yet assigned a formal CVE identifier in the advisory, but the vulnerability is expected to be added to CISA's Known Exploited Vulnerabilities catalog in the coming days. Security teams should monitor Fortinet's PSIRT page for updates and ensure that no unauthorized access has occurred on their FortiClient EMS instances.