PSIRT Advisories

FortiClientEMS - Directory Traversal vulnerability


A path traversal vulnerability [CWE-22] in FortiClientEMS may allow an authenticated attacker to inject directory traversal character sequences to add/delete the files of the server via the name parameter of Deployment Packages.

Affected Products

FortiClientEMS version 6.4.1 and below.
FortiClientEMS version 6.2.8 and below.


Please upgrade to version 6.2.9 or above.

Please upgrade to version 6.4.2 or above.


Fortinet is pleased to thank Researcher Johnatan Camargo and Researcher Danilo Costa for reporting this vulnerability under responsible disclosure.