SQL injection in FortiVoice - CVE-2025-58692

 

SQL injection in FortiVoice - CVE-2025-58692

Published: November 18, 2025


Vulnerability identifier: #VU118607
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-58692
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Fortinet, Inc
Affected software:
FortiVoice

Detailed vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

The vulnerability exists due to improper neutralization of special elements used in an sql command ('sql injection') in voice and administrative interface. An authenticated attacker can execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests.


How to mitigate CVE-2025-58692

Install update from vendor's website.

Sources