CVE-2022-26116

HIGH

FortiNAC <= 8.3.7, 8.5.2, 8.5.4, 8.6.0, <= 8.6.5, <= 8.7.6, <= 8.8.11, <= 9.1.5, <= 9.2.2 - Authenticated SQL Injection

Title source: llm
STIX 2.1

Description

Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerability [CWE-89] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.5.4, 8.6.0, 8.6.5 and below, 8.7.6 and below, 8.8.11 and below, 9.1.5 and below, 9.2.2 and below may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://fortiguard.com/psirt/FG-IR-22-062

Scores

CVSS v3 7.2
EPSS 0.0037
EPSS Percentile 59.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (3)
fortinet/fortinac 8.5.4
fortinet/fortinac 8.6.0
fortinet/fortinac < 8.3.7
Published May 11, 2022
Tracked Since Feb 18, 2026