CVE-2023-48788 CRITICAL

CVE-2023-48788

Vendor Fortinet
Product FortiClientEMS
Weakness CWE-89 · SQLi
KEV Status Known Exploited
Ransomware Used in campaigns
Published March 12, 2024
Last update October 21, 2025
View on NVD All CVEs

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C

What the vulnerability does

01Description

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

March 12, 2024 CVE published
October 21, 2025 Record updated

Related vulnerabilities

05Related CVE

CVE-2023-6765 SourceCodester Online Tours & Travels Management System email_setup.php prepare sql injection CVE-2025-10604 PHPGurukul Online Discussion Forum edit_member.php sql injection CVE-2026-1800 Fonts Manager | Custom Fonts <= 1.2 - Unauthenticated SQL Injection via fmcfIdSelectedFnt parameter CVE-2023-48434 Online Voting System Project v1.0 - Multiple Unauthenticated SQL Injections (SQLi) CVE-2026-7290 JeecgBoot loadDict Endpoint SqlInjectionUtil.java SqlInjectionUtil sql injection