DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-59922: CVE-2025-59922: When 'Read-Only' Means 'Root-Owns-You' in FortiClientEMS

#security #cve #cybersecurity

CVE-2025-59922: When 'Read-Only' Means 'Root-Owns-You' in FortiClientEMS

Vulnerability ID: CVE-2025-59922
CVSS Score: 7.2
Published: 2026-01-13

A critical SQL Injection vulnerability in Fortinet FortiClientEMS allows low-privileged, read-only administrators to execute arbitrary SQL commands. Because FortiClientEMS typically runs on top of a Microsoft SQL Server (MSSQL) stack, this often translates directly into Remote Code Execution (RCE) via xp_cmdshell or similar stored procedures. The flaw resides in how the application handles image rendering tags, effectively turning a cosmetic feature into a system shell.

TL;DR

Fortinet FortiClientEMS contains a SQL Injection flaw (CVE-2025-59922) accessible to authenticated users with as little as Read-Only access. By injecting malicious SQL into fields related to image rendering (the 'IMG tag' vector), attackers can manipulate the backend database. In default configurations where the database runs with high privileges, this leads to full Remote Code Execution (RCE) as SYSTEM. Patches are available in versions 7.4.5 and 7.2.12.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-89 (SQL Injection)
  • Attack Vector: Network (Authenticated)
  • CVSS v3.1: 7.2 (High)
  • Exploit Status: Proof of Concept (PoC) Available
  • Authentication: Required (Low Priv / Read-Only)
  • Risk: Remote Code Execution (RCE) via Database

Affected Systems

  • FortiClientEMS 7.4.0 through 7.4.4 (excluding 7.4.2)
  • FortiClientEMS 7.2.0 through 7.2.10
  • FortiClientEMS 7.0 (All Versions)
  • FortiClientEMS: 7.4.0 - 7.4.4 (Fixed in: 7.4.5)
  • FortiClientEMS: 7.2.0 - 7.2.10 (Fixed in: 7.2.12)
  • FortiClientEMS: <= 7.0.13 (Fixed in: Upgrade to 7.2+)

Exploit Details

  • Fortinet PSIRT: Official advisory confirming E:P (Proof of Concept) metric.

Mitigation Strategies

  • Upgrade to patched versions immediately.
  • Isolate the Management Interface from the public internet.
  • Apply Principle of Least Privilege to database service accounts.

Remediation Steps:

  1. Log in to the Fortinet Support Portal.
  2. Download the installer for FortiClientEMS 7.4.5 or 7.2.12.
  3. Back up your current EMS database.
  4. Run the installer to upgrade the instance.
  5. Verify that xp_cmdshell is disabled on the SQL backend if not strictly required.

References

Read the full report for CVE-2025-59922 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)