SQL injection in FortiVoice
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2025-58692 |
| CWE-ID | CWE-89 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
FortiVoice Server applications / Conferencing, Collaboration and VoIP solutions |
| Vendor | Fortinet, Inc |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) SQL injection
EUVDB-ID: #VU118607
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-58692
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in an sql command ('sql injection') in voice and administrative interface. An authenticated attacker can execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests.
MitigationInstall update from vendor's website.
Vulnerable software versionsFortiVoice: 7.0.0 - 7.2.2
CPE2.3 External linkshttps://www.fortiguard.com/psirt/FG-IR-25-666
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
