CVE-2025-61848 MEDIUM

CVE-2025-61848

Vendor Fortinet

Product FortiManager

Weakness CWE-89 · SQLi

Published April 14, 2026

Last update April 15, 2026

View on NVD All CVEs

CVSS base score

6.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

What the vulnerability does

01Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.8, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.8, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.8, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged authenticated attacker to execute unauthorized code or commands via JSON RPC API

Key dates

02Disclosure timeline

April 14, 2026 CVE published

April 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-61848

Related vulnerabilities

Identifiers

CVE CVE-2025-61848

CWE CWE-89

CVSS 6.8 / MEDIUM

Affected versions

Vendor Fortinet

Product FortiManager

Affected ≥ 7.6.0 and ≤ 7.6.3

Vendor Fortinet

Product FortiAnalyzer

Affected ≥ 7.6.0 and ≤ 7.6.3

Vendor Fortinet

Product FortiManager Cloud

Affected ≥ 7.6.2 and ≤ 7.6.4

Vendor Fortinet

Product FortiAnalyzer Cloud

Affected ≥ 7.6.2 and ≤ 7.6.3

CVE-2025-61848

01Description

02Disclosure timeline

03References

04Related CVE