A SQL Injection vulnerability (CWE-89) exists in FortiClientEMS, allowing an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. This vulnerability has a CVSSv3 score of 9.1. The article does not specify affected versions or a fixed version to upgrade to. No workaround information is provided in the article.
PSIRT SQLi in administrative interface Summary An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. Version Affected Solution FortiClientEMS 8.0 Not affected Not Applicable FortiClientEMS 7.4 7.4.4 Upgrade to 7.4.5 or above FortiClientEMS 7.2 Not affected Not Applicable Acknowledgement Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team. Timeline 2026-02-06: Initial publication 2026-02-06: removed FortiEMS Cloud, since it's not affected