Pervasive SQL injection in DAS component

Summary

An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.

Version Affected Solution
FortiClientEMS 7.2 7.2.0 through 7.2.2 Upgrade to 7.2.3 or above
FortiClientEMS 7.0 7.0.1 through 7.0.10 Upgrade to 7.0.11 or above

Virtual Patch named "FG-VD-54509.0day:FortiClientEMS.DAS.SQL.Injection" is available in FMWP db update 27.750


This vulnerability is exploited in the wild

Acknowledgement

Co-discovered and reported by Thiago Santana From Fortinet ForticlientEMS development team and UK NCSC

Timeline

2024-02-22: Initial publication
2024-03-21: added ips signature information