Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Articles & Coverage 3
AnalysisAI
Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV).
Technical ContextAI
FortiClientEMS is Fortinet's endpoint management system used to centrally manage FortiClient deployments across enterprise environments. The vulnerability is rooted in CWE-284 (Improper Access Control), indicating insufficient enforcement of security boundaries when processing network requests. The affected product CPE (cpe:2.3:a:fortinet:forticlientems) identifies this as an application-level flaw in the management server component. The network attack vector (AV:N) combined with no authentication requirement (PR:N) suggests the vulnerable endpoint is exposed without proper authentication checks, allowing remote attackers to bypass access controls entirely. This class of vulnerability typically involves API endpoints, administrative interfaces, or command handlers that fail to validate caller privileges before executing privileged operations, enabling unauthorized code execution with the permissions of the FortiClientEMS service itself.
RemediationAI
Organizations should immediately upgrade FortiClientEMS to a patched version as specified in the official Fortinet security advisory at https://fortiguard.fortinet.com/psirt/FG-IR-26-099. The CVSS temporal metric RL:O indicates an official remediation is available from the vendor. Until patching is complete, network-level mitigations should be implemented including restricting access to FortiClientEMS management interfaces to trusted IP ranges only, deploying intrusion prevention signatures to detect exploitation attempts, and monitoring FortiClientEMS logs for unusual authentication patterns or command execution. Given the authentication bypass nature and network attack vector, firewall rules limiting exposure of the management interface to the public internet provide critical interim protection. Organizations should prioritize this remediation given the functional exploit code availability and critical severity rating.
Fortinet FortiWeb contains a relative path traversal allowing unauthenticated attackers to execute administrative comman
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized c
Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0
Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9
A product has a SQL injection vulnerability enabling unauthenticated database compromise through improperly neutralized
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in
Fortinet FortiAnalyzer and FortiManager contain a critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.8
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
The Gzip file parser in AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5
The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7,
Cross-site scripting (XSS) vulnerability in the sslvpn login page in Fortinet FortiOS 5.2.x before 5.2.3 allows remote a
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18963