SQL Injection via JSON RPC API

MonitorCVSS 6.8FG-IR-26-111Apr 14, 2026

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A SQL injection vulnerability exists in the JSON RPC API of FortiAnalyzer and FortiManager. An authenticated attacker with high privileges can inject malicious SQL code through the API to execute unauthorized database queries, potentially exposing sensitive configuration and log data or modifying database contents.

What this means

What could happen

An attacker with administrative or high-privilege credentials could manipulate the FortiAnalyzer or FortiManager database through SQL injection, potentially accessing sensitive logs about your network security events, firewall rules, and system configurations, or corrupting security audit records.

Who's at risk

Organizations using FortiAnalyzer or FortiManager for security log management and device administration should prioritize this. These products are typically found in network operations centers managing firewall, intrusion detection, and security event monitoring across enterprise and critical infrastructure networks.

How it could be exploited

An attacker with high-privilege credentials (such as an administrative account) would authenticate to the JSON RPC API and submit specially crafted API requests containing SQL injection payloads. The vulnerable API endpoint would pass user input directly to database queries without proper sanitization, allowing the attacker to extract or modify database contents.

Prerequisites

High-privilege credentials (administrator or equivalent role) for FortiAnalyzer or FortiManager
Network access to the JSON RPC API endpoint
Authentication to the management interface

Requires high-privilege credentialsAccess to sensitive security logs and configurationsDatabase integrity impact possible

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (16)

16 with fix

ProductAffected VersionsFix Status

FortiAnalyzer7.6.0 - 7.6.47.6.5+

FortiAnalyzer7.4.0 - 7.4.87.4.9+

FortiAnalyzer7.2 all versionsMigrate to fixed release

FortiAnalyzer7.0 all versionsMigrate to fixed release

FortiAnalyzer Cloud7.6.0 - 7.6.47.6.5+

Remediation & Mitigation

0/8

Do now

0/2

HARDENINGRestrict network access to the JSON RPC API endpoint to authorized administrative workstations only

HARDENINGEnforce strong, unique passwords for all high-privilege administrative accounts

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

FortiAnalyzer

HOTFIXUpdate FortiAnalyzer 7.6.x to version 7.6.5 or later

HOTFIXUpdate FortiAnalyzer 7.4.x to version 7.4.9 or later

HOTFIXMigrate FortiAnalyzer 7.2 and 7.0 to a supported fixed release (7.4.9+ or 7.6.5+)

FortiManager

HOTFIXUpdate FortiManager 7.6.x to version 7.6.5 or later

HOTFIXUpdate FortiManager 7.4.x to version 7.4.9 or later

HOTFIXMigrate FortiManager 7.2 and 7.0 to a supported fixed release (7.4.9+ or 7.6.5+)

CVEs (1)

CVE-2025-61848

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6f42e929-002d-47dd-a591-1d759b2d9d42

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.