Hotfix issued for FortiClient EMS 7.4.5/7.4.6 to fix authentication-bypass and management flaw

Fortinet told customers on May 19 to apply an emergency hotfix to FortiClient EMS versions 7.4.5 and 7.4.6 after disclosing an actively exploited vulnerability in the endpoint management product. The company’s PSIRT advisory says the issue is an improper access control flaw in FortiClient EMS that can let an unauthenticated attacker execute unauthorized code or commands through crafted requests. Fortinet said the hotfix is available now for the two affected builds and that FortiClient EMS 7.4.7 will include the fix. ### What exactly did Fortinet say customers need to do? Fortinet said vulnerable customers should install the hotfix for FortiClient EMS 7.4.5 and 7.4.6 immediately, using the instructions in the product’s EMS release notes. The advisory lists FortiClient EMS 7.4.5 through 7.4.6 as affected, says 7.2 is not affected, and states that upgrading to 7.4.7 or above is the long-term remedy. (fortiguard.fortinet.com) The company also said FortiClient Cloud and FortiSASE had already been remediated, so customers using those services do not need to take action. That narrows the immediate response to self-managed FortiClient EMS deployments running the affected 7.4 branch. ### What is FortiClient EMS, and why does this system matter? FortiClient EMS, or Endpoint Management Server, is Fortinet’s centrally managed platform for administering FortiClient deployments across Windows, macOS, Linux, Android, iOS and ChromeOS devices. (fortiguard.fortinet.com) Fortinet’s documentation describes EMS as the management layer for provisioning, monitoring and controlling endpoint software. Because EMS sits in the management path for endpoint fleets, a flaw that bypasses authentication in its API layer can expose administrative functions rather than just a single user session. Fortinet’s advisory does not spell out post-compromise scenarios in detail, but it says an unauthenticated attacker could execute unauthorized code or commands through crafted requests. (docs.fortinet.com) ### How severe is the vulnerability based on Fortinet’s own disclosure? Fortinet said it has observed the vulnerability being exploited in the wild. That language in a vendor advisory usually means the company is treating the issue as more than a theoretical risk and is asking customers to patch on an urgent basis. The advisory credits Simo Kohonen from Defused and Nguyen Duc Anh with reporting the issue under responsible disclosure. (fortiguard.fortinet.com) Fortinet’s public advisory page is identified as FG-IR-26-099 and describes the bug as a PSIRT “API authentication and authorization bypass” issue. ### Is this the same flaw some social posts tied to Microsoft Authenticator token theft? (fortiguard.fortinet.com) Fortinet’s public advisory does not mention Microsoft Authenticator token theft. The company’s own description is narrower: it says the flaw is an improper access control vulnerability in FortiClient EMS that allows unauthorized code or command execution via crafted requests. (fortiguard.fortinet.com) That means the safest reading, based on primary-source documentation, is that customers should follow Fortinet’s remediation guidance without assuming added attack details unless Fortinet or named researchers publish them separately. Social posts may describe possible attack chains or observed tradecraft, but Fortinet’s advisory is the authoritative source for the vendor-confirmed scope and fix path. (fortiguard.fortinet.com) ### Which versions are in scope, and which are not? Fortinet’s advisory says the affected range is FortiClient EMS 7.4.5 through 7.4.6. The same advisory says FortiClient EMS 7.2 is not affected. Fortinet’s 7.4.5 release notes identify that build as 7.4.5.2111.M, which helps administrators confirm whether a deployment falls inside the affected branch. Fortinet’s documentation for EMS hotfixes says a hotfix contains a subset of EMS binaries intended to address a specific issue without waiting for the next broader release. (fortiguard.fortinet.com) In this case, the company said the hotfix is sufficient to prevent the issue entirely until 7.4.7 becomes available. ### What should customers watch for next? Fortinet said the next milestone is FortiClient EMS 7.4.7, which will include the fix for the vulnerability. (fortiguard.fortinet.com) Until then, the company is directing customers running 7.4.5 or 7.4.6 to the hotfix installation instructions in the EMS release notes and to the PSIRT advisory for any updates.