Pervasive SQL injection in DAS component


An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.

Version Affected Solution
FortiClientEMS 7.2 7.2.0 through 7.2.2 Upgrade to 7.2.3 or above
FortiClientEMS 7.0 7.0.1 through 7.0.10 Upgrade to 7.0.11 or above

Virtual Patch named "FG-VD-54509.0day:FortiClientEMS.DAS.SQL.Injection" is available in FMWP db update 27.750

This vulnerability is exploited in the wild

Note that production FortiSASE was patched with a fix on 2024-03-05


Co-discovered and reported by Thiago Santana From Fortinet ForticlientEMS development team and UK NCSC


2024-02-22: Initial publication
2024-03-21: added ips signature information
2024-04-26: Added FortiSASE's fix timeline