CVE-2025-24474

Summary

An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiManager Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiAnalyzer 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; and FortiAnalyzer Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker with high privilege to extract database information via crafted requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiManager7.6.0 <= 7.6.1affected
FortinetFortiManager7.4.0 <= 7.4.6affected
FortinetFortiManager7.2.0 <= 7.2.10affected
FortinetFortiManager7.0.0 <= 7.0.14affected
FortinetFortiManager6.4.0 <= 6.4.15affected
FortinetFortiAnalyzer7.6.0 <= 7.6.1affected
FortinetFortiAnalyzer7.4.0 <= 7.4.6affected
FortinetFortiAnalyzer7.2.0 <= 7.2.10affected
FortinetFortiAnalyzer7.0.0 <= 7.0.14affected
FortinetFortiAnalyzer6.4.0 <= 6.4.15affected

Weaknesses

  • CWE-89: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References