Description
An improper neutralization of special elements used in an SQL Command ("SQL Injection&") vulnerability [CWE-89] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2.0 through 7.2.8 allows an authenticated privileged attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests.
Published: 2026-05-12
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an SQL injection flaw (CWE‑89) in Fortinet FortiMail version 7.2.0 through 7.2.8, 7.4.0 through 7.4.5, and 7.6.0 through 7.6.3. The flaw arises from improper neutralization of special elements in an SQL command, enabling an authenticated user with privileged access to send specially crafted HTTP or HTTPS requests that cause the back‑end database to execute arbitrary SQL. This can allow the attacker to run arbitrary code or commands on the FortiMail appliance, compromising confidentiality, integrity, and availability of email traffic and system data.

Affected Systems

The affected products are Fortinet FortiMail appliance releases 7.2.0–7.2.8, 7.4.0–7.4.5, and 7.6.0–7.6.3. FortiMail Cloud customers are protected starting with version 25.2, which removes the flaw, so no remedial action is required for cloud deployments.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity impact. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker possess authenticated privileged credentials, and the attack vector is network‑based, targeting HTTP or HTTPS endpoints. Because the flaw gives full code execution privileges on the appliance, the potential damage is high if credential credentials are compromised or mismanaged.

Generated by OpenCVE AI on May 12, 2026 at 18:22 UTC.

Remediation

Vendor Solution

Upgrade to FortiMail version 7.6.4 or above Upgrade to FortiMail version 7.4.6 or above Upgrade to FortiMail version 7.2.9 or above Fortinet remediated this issue in FortiMail Cloud version 25.2 and hence customers do not need to perform any action.

OpenCVE Recommended Actions

  • Upgrade to the latest FortiMail release (7.6.4 or newer, 7.4.6 or newer, or 7.2.9 or newer) to apply the official fix.
  • For customers running FortiMail Cloud, confirm that the system is operating on version 25.2 or later; no additional action is required.
  • Restrict privileged access by applying the principle of least privilege, removing or revoking unnecessary administrative accounts, and ensuring only truly privileged accounts have write access to the mail infrastructure.
  • Enable logging and monitor HTTP/HTTPS traffic for anomalous SQL injection patterns, and investigate any suspicious requests.

Generated by OpenCVE AI on May 12, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title FortiMail SQL Injection Allowing Remote Code Execution

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description An improper neutralization of special elements used in an SQL Command ("SQL Injection&") vulnerability [CWE-89] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2.0 through 7.2.8 allows an authenticated privileged attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests.
First Time appeared Fortinet
Fortinet fortimail
Weaknesses CWE-89
CPEs cpe:2.3:a:fortinet:fortimail:7.2.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.2.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.2.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.2.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.2.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.2.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.2.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.2.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.2.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.4.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.4.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.4.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.6.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.6.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortimail:7.6.3:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortimail
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Fortinet Fortimail
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-05-13T03:58:26.763Z

Reserved: 2025-07-08T09:23:05.011Z

Link: CVE-2025-53681

cve-icon Vulnrichment

Updated: 2026-05-12T19:02:08.696Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T18:16:35.860

Modified: 2026-05-12T18:57:02.307

Link: CVE-2025-53681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T19:00:18Z

Weaknesses