Pervasive SQL injection in DAS component
Summary
An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.
Version | Affected | Solution |
---|---|---|
FortiClientEMS 7.2 | 7.2.0 through 7.2.2 | Upgrade to 7.2.3 or above |
FortiClientEMS 7.0 | 7.0.1 through 7.0.10 | Upgrade to 7.0.11 or above |
Virtual Patch named "FG-VD-54509.0day:FortiClientEMS.DAS.SQL.Injection" is available in FMWP db update 27.750
This vulnerability is exploited in the wild
Note that production FortiSASE was patched with a fix on 2024-03-05
Acknowledgement
Co-discovered and reported by Thiago Santana From Fortinet ForticlientEMS development team and UK NCSCTimeline
2024-02-22: Initial publication
2024-03-21: added ips signature information
2024-04-26: Added FortiSASE's fix timeline