Fortinet FortiAnalyzer SQL Injection Flaw Lets Attackers Run Unauthorized Code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.0

Fortinet FortiAnalyzer SQL Injection Flaw Lets Attackers Run Unauthorized Code

CVE-2025-49784

Summary

Fortinet's FortiAnalyzer software has a security weakness that allows a malicious user with a valid login to execute unauthorized code. This could potentially allow an attacker to access sensitive data or disrupt the system. Fortinet recommends upgrading to a fixed version of FortiAnalyzer to prevent this issue.

Original title

Original description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiAnalyzer-BigData 7.6.0, FortiAnalyzer-BigData 7.4.0 through 7.4.4, FortiAnalyzer-BigData 7.2 all versions, FortiAnalyzer-BigData 7.0 all versions, FortiAnalyzer-BigData 6.4 all versions, FortiAnalyzer-BigData 6.2 all versions may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted requests.

nvd CVSS3.1 6.0

Vulnerability type

CWE-89 SQL Injection

https://fortiguard.fortinet.com/psirt/FG-IR-26-095

Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026