Description
A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests
Published: 2026-04-14
Score: 7.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via SQL injection
Action: Immediate Patch
AI Analysis

Impact

FortiDDoS-F firmware versions 7.2.1 and 7.2.2 contain an SQL injection vulnerability caused by improper neutralization of special characters in SQL commands. An attacker who can send crafted HTTP requests to the device may be able to inject malicious SQL, which can lead to unauthorized execution of code or commands. This flaw could compromise the integrity of the device, potentially allowing an attacker to gain elevated privileges or disrupt service.

Affected Systems

Fortinet’s FortiDDoS-F product is affected when deployed with firmware versions 7.2.1 and 7.2.2. The vulnerability is linked to product releases before version 7.2.3, which includes the fix.

Risk and Exploitability

The CVSS base score of 7.9 reflects high severity, indicating that exploitation poses a substantial risk. EPSS data is not publicly available, and the vulnerability is not listed in CISA’s KEV catalog, so no confirmed exploits are known. Based on the description, the likely attack vector is remote, via network‑based HTTP requests, and does not appear to require authenticated access, meaning any external actor could attempt injection. Consequently, the impact is high if the flaw is leveraged, emphasizing the need for timely remediation.

Generated by OpenCVE AI on April 14, 2026 at 20:46 UTC.

Remediation

Vendor Solution

Upgrade to FortiDDoS-F version 7.2.3 or above

OpenCVE Recommended Actions

  • Upgrade to FortiDDoS-F version 7.2.3 or above
  • If a firmware upgrade cannot be applied immediately, investigate HTTP traffic for suspicious SQL injection patterns and block malicious requests at the network perimeter
  • Verify that the device firmware is updated by consulting the FortinGuard advisory and checking device logs for any injection attempts

Generated by OpenCVE AI on April 14, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in FortiDDoS-F Enabling Unauthorized Code Execution

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via <insert attack vector here> A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
First Time appeared Fortinet
Fortinet fortiddos-f
Weaknesses CWE-89
CPEs cpe:2.3:o:fortinet:fortiddos-f:7.2.1:*:*:*:*:*:*:*
cpe:2.3:o:fortinet:fortiddos-f:7.2.2:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortiddos-f
References
Metrics cvssV3_1

{'score': 7.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C'}

Subscriptions

Fortinet Fortiddos-f
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-04-14T17:35:54.853Z

Reserved: 2026-04-07T15:24:20.512Z

Link: CVE-2026-39815

cve-icon Vulnrichment

Updated: 2026-04-14T16:37:02.310Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:46.383

Modified: 2026-04-14T18:17:39.153

Link: CVE-2026-39815

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses