CVE-2025-61848 PUBLISHED

Assigner: fortinet
Reserved: 01.10.2025 Published: 14.04.2026 Updated: 14.04.2026

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.8, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.8, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.8, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged authenticated attacker to execute unauthorized code or commands via JSON RPC API

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CVSS Score: 6.8

Product Status

Vendor Fortinet
Product FortiManager
Versions Default: unaffected
  • affected from 7.6.0 to 7.6.3 (incl.)
Vendor Fortinet
Product FortiAnalyzer
Versions Default: unaffected
  • affected from 7.6.0 to 7.6.3 (incl.)
Vendor Fortinet
Product FortiManager Cloud
Versions Default: unaffected
  • affected from 7.6.2 to 7.6.4 (incl.)
Vendor Fortinet
Product FortiAnalyzer Cloud
Versions Default: unaffected
  • affected from 7.6.2 to 7.6.3 (incl.)

Solutions

Upgrade to upcoming FortiManager version 8.0.0 or above Upgrade to FortiManager version 7.6.5 or above Upgrade to FortiManager version 7.4.9 or above Upgrade to FortiAnalyzer version 7.6.5 or above Upgrade to FortiAnalyzer version 7.4.9 or above Upgrade to FortiAnalyzer Cloud version 7.6.4 or above Upgrade to FortiManager Cloud version 7.6.5 or above

References

Problem Types

  • Execute unauthorized code or commands CWE