CVE-2025-61848

Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.8, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.8, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.8, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged authenticated attacker to execute unauthorized code or commands via JSON RPC API

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Physical

Changed

Affected products

fortinet / fortianalyzer7.6.3 – 7.6.3
fortinet / fortianalyzer7.6.0 – 7.6.0
fortinet / fortianalyzer7.6.1 – 7.6.1
fortinet / fortianalyzer7.6.2 – 7.6.2
fortinet / fortianalyzercloud7.6.2 – 7.6.2
fortinet / fortianalyzercloud7.6.3 – 7.6.3
fortinet / fortimanager7.6.2 – 7.6.2
fortinet / fortimanager7.6.3 – 7.6.3
fortinet / fortimanager7.6.0 – 7.6.0
fortinet / fortimanager7.6.1 – 7.6.1
fortinet / fortimanagercloud7.6.3 – 7.6.3
fortinet / fortimanagercloud7.6.4 – 7.6.4
fortinet / fortimanagercloud7.6.2 – 7.6.2

References

VENDOR_ADVISORYhttps://fortiguard.fortinet.com/psirt/FG-IR-26-111