SQL injection in jsonrpc api

Monitor5.6FG-IR-26-095Mar 10, 2026

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

SQL injection vulnerability in the JSON API of FortiAnalyzer allows authenticated users with high privileges to execute arbitrary SQL commands against the backend database. This could allow an attacker to read, modify, or delete security events, logs, and other data stored in FortiAnalyzer. The vulnerability affects multiple versions of FortiAnalyzer (7.0, 7.2, 7.4.0–7.4.7, 7.6.0–7.6.4) and FortiAnalyzer-BigData (7.2 and later, 7.4.0–7.4.4, 7.6.0), with no fix currently available for BigData variants.

What this means

What could happen

An attacker with high-level access to the management interface could inject SQL commands through the JSON API to read or modify the FortiAnalyzer database, potentially extracting sensitive log data or altering security policies and event records.

Who's at risk

Network and security operations teams using FortiAnalyzer for log centralization and analysis. Specifically affects: FortiAnalyzer versions 7.6.0–7.6.4, 7.4.0–7.4.7, and all 7.2 and 7.0 instances; FortiAnalyzer-BigData versions 7.6.0, 7.4.0–7.4.4, and all 7.2 and earlier versions. Any organization relying on FortiAnalyzer for security event logging, threat investigation, or compliance record-keeping is at risk if attackers with credentials can access the system.

How it could be exploited

An attacker with administrative or engineering credentials accesses the FortiAnalyzer JSON API endpoint and crafts a malicious SQL injection payload in an API request parameter. The injected SQL executes against the backend database with the same privileges as the API process, allowing data exfiltration or modification.

Prerequisites

High-level credentials (admin or engineer) required to access the JSON API
Network reachability to the FortiAnalyzer management interface (typically port 443)
Knowledge of the vulnerable API endpoint and parameter structure

Requires high-level credentialsLow attack complexityCan extract sensitive security logsNo fix available for FortiAnalyzer-BigDataAffects log integrity and confidentiality

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (8)

5 with fix3 pending

ProductAffected VersionsFix Status

FortiAnalyzer7.6.0 - 7.6.47.6.5+

FortiAnalyzer7.4.0 - 7.4.77.4.8+

FortiAnalyzer7.2 all versionsMigrate to fixed release

FortiAnalyzer7.0 all versionsMigrate to fixed release

FortiAnalyzer6.4 all versionsMigrate to fixed release

FortiAnalyzer-BigData7.6.0No fix yet

FortiAnalyzer-BigData7.4.0 - 7.4.4No fix yet

FortiAnalyzer-BigData7.2 all versions and 3 moreNo fix yet

Remediation & Mitigation

0/6

Do now

0/2

FortiAnalyzer

HARDENINGRestrict network access to the FortiAnalyzer management interface to authorized administrative workstations and subnets using firewall rules

All products

HARDENINGMonitor JSON API access logs for suspicious query patterns or failed authentication attempts

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

FortiAnalyzer

HOTFIXUpdate FortiAnalyzer 7.6.x to version 7.6.5 or later

HOTFIXUpdate FortiAnalyzer 7.4.x to version 7.4.8 or later

HOTFIXMigrate FortiAnalyzer 7.2.x and 7.0.x installations to supported fixed releases (7.4.8+, 7.6.5+, or later)

Long-term hardening

0/1

FortiAnalyzer

HOTFIXFor FortiAnalyzer-BigData instances, plan migration to a patched version when available from Fortinet

CVEs (1)

CVE-2025-49784

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d16d0e9c-30b4-4f21-a26c-df7cb2e9a8ca

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.