NVD - CVE-2023-48788 (original) (raw)
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
CNA: Fortinet, Inc.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
| URL | Source(s) | Tag(s) |
|---|---|---|
| https://fortiguard.com/psirt/FG-IR-24-007 | CVE, Fortinet, Inc. | Vendor Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-48788 | CISA-ADP | US Government Resource |
This CVE is in CISA's Known Exploited Vulnerabilities Catalog
Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.
| Vulnerability Name | Date Added | Due Date | Required Action |
|---|---|---|---|
| Fortinet FortiClient EMS SQL Injection Vulnerability | 03/25/2024 | 04/15/2024 | Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. |
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | Fortinet, Inc. |
Known Affected Software Configurations Switch to CPE 2.2
Change History
13 change records found show changes
Modified Analysis by NIST 10/24/2025 8:54:49 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference Type | CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2023-48788 Types: US Government Resource |
CVE Modified by CISA-ADP 10/21/2025 7:16:14 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2023-48788 |
CVE Modified by CISA-ADP 10/21/2025 4:19:44 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Removed | Reference | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2023-48788 |
CVE Modified by CISA-ADP 10/21/2025 3:20:28 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2023-48788 |
Modified Analysis by NIST 1/27/2025 3:56:34 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Changed | CPE Configuration | OR *cpe:2.3:a:fortinet:forticlient_enterprise_management_server:*:*:*:*:*:*:*:* versions from (including) 7.0.1 up to (including) 7.0.10 *cpe:2.3:a:fortinet:forticlient_enterprise_management_server:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.2 | OR *cpe:2.3:a:fortinet:forticlient_enterprise_management_server:*:*:*:*:*:*:*:* versions from (including) 7.0.1 up to (excluding) 7.0.11 *cpe:2.3:a:fortinet:forticlient_enterprise_management_server:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (excluding) 7.2.3 |
CVE Modified by CVE 11/21/2024 3:32:26 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://fortiguard.com/psirt/FG-IR-24-007 |
CVE Modified by Fortinet, Inc. 6/04/2024 3:17:52 PM
| Action | Type | Old Value | New Value |
|---|
Modified Analysis by NIST 5/23/2024 2:00:08 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Changed | Reference Type | https://fortiguard.com/psirt/FG-IR-24-007 No Types Assigned | https://fortiguard.com/psirt/FG-IR-24-007 Vendor Advisory |
CVE Modified by Fortinet, Inc. 5/14/2024 10:02:24 AM
| Action | Type | Old Value | New Value |
|---|
CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 3/25/2024 9:00:02 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Date Added | 2024-03-25 | |
| Added | Due Date | 2024-04-15 | |
| Added | Required Action | Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. | |
| Added | Vulnerability Name | Fortinet FortiClient EMS SQL Injection Vulnerability |
CVE Modified by Fortinet, Inc. 3/19/2024 4:15:06 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | Fortinet, Inc. https://fortiguard.com/psirt/FG-IR-24-007 [No types assigned] | |
| Removed | Reference | Fortinet, Inc. https://fortiguard.com/psirt/FG-IR-23-430 |
Initial Analysis by NIST 3/15/2024 10:52:23 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 | NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |
| Added | CPE Configuration | OR *cpe:2.3:a:fortinet:forticlient_enterprise_management_server:*:*:*:*:*:*:*:* versions from (including) 7.0.1 up to (including) 7.0.10 *cpe:2.3:a:fortinet:forticlient_enterprise_management_server:*:*:*:*:*:*:*:* versions from (including) 7.2.0 up to (including) 7.2.2 | |
| Changed | Reference Type | https://fortiguard.com/psirt/FG-IR-23-430 No Types Assigned | https://fortiguard.com/psirt/FG-IR-23-430 Vendor Advisory |
New CVE Received from Fortinet, Inc. 3/12/2024 11:15:46 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets. | |
| Added | CVSS V3.1 | Fortinet, Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |
| Added | CWE | Fortinet, Inc. CWE-89 | |
| Added | Reference | Fortinet, Inc. https://fortiguard.com/psirt/FG-IR-23-430 [No types assigned] |