API authentication and authorization bypass
CVSSv3 Score: 9.1 An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6, by following the instructions at:https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 - for FortiClientEMS 7.4.5https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 - for FortiClientEMS 7.4.6Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime the hotfix above is sufficient to prevent it entirely. Revised on 2026-04-04 00:00:00
CSIRTS triage
- What
- An improper access control vulnerability allows unauthenticated attackers to execute unauthorized code or commands.
- Who is affected
- Customers using FortiClient EMS versions 7.4.5 and 7.4.6 are affected.
- Urgency
- Remediation is urgent as the vulnerability is actively exploited in the wild.
- Action
- Install the hotfix for FortiClient EMS 7.4.5 and 7.4.6.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch FortiClient EMS
Get an email when a new FortiClient EMS advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://fortiguard.fortinet.com/psirt/FG-IR-26-099
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Exploitation likely imminentCVE-2026-35616EPSS puts this in the most-targeted tier (88.5% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 100% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-35616 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- criticalexploitedCVE-2026-35616: Fortinet FortiClient EMS Improper Access Control Vulnerabilitycisa-kev
Recent advisories for API authentication and
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highCVE-2026-38059: The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authenticatio…nvd · 2026-07-10
- highCVE-2026-38057: The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authenti…nvd · 2026-07-10
- mediumCVE-2026-56460: HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenti…nvd · 2026-07-09
- highCVE-2026-35552: In CAXperts UPVWebServices 2.4.2212.603 through 2.7.6 and UDiTH Portal 2026.0.0 through 2026.2…nvd · 2026-07-08
- unknownCVE-2026-60124: An authorization bypass in MISP’s EventsController::importModule() allowed authenticated users…nvd · 2026-07-08
- criticalCVE-2026-56843: Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-priv…nvd · 2026-07-08
More from Fortinet FortiGuard PSIRT
- unknownSecond-Order OS Command Injection via JSON Input on start vnc feature2026-06-09
- unknownImproper access control in API endpoints2026-06-09
- unknownRestricted CLI escape using Lua2026-06-09
- unknownLinux Kernel vulnerability Dirty Frag2026-06-03
- unknownLinux Kernel Vulnerability copy.fail - CVE-2026-314312026-05-13