Fortinet Discloses SQL Injection Vulnerability in FortiDDoS-F Appliances
Fortinet has disclosed a high-severity SQL injection vulnerability in FortiDDoS-F that could allow authenticated attackers to execute arbitrary SQL queries via crafted HTTP requests.
Fortinet has disclosed a high-severity SQL injection vulnerability (FG-IR-26-119) in its FortiDDoS-F appliances, a family of dedicated DDoS mitigation devices. The flaw, assigned a CVSSv3 score of 7.9, stems from improper neutralization of special elements used in SQL commands (CWE-89) and could allow an authenticated attacker to execute arbitrary SQL queries on the backend database by sending specially crafted HTTP requests.
The vulnerability affects FortiDDoS-F version 7.2.1 through 7.2.2. According to the advisory published on April 14, 2026, earlier versions 7.0, 6.6, 6.5, 6.4, and 6.3 are not affected. Fortinet has released a fix in FortiDDoS-F version 7.2.3 and strongly recommends that all customers upgrade to this patched release as soon as possible.
The vulnerability was internally discovered and reported by David Maciejak of Fortinet's Product Security team, indicating that the company's internal security review processes identified the flaw before any known external exploitation. While no active exploitation has been reported, the severity of the vulnerability and the potential for database compromise make patching a priority for organizations using affected FortiDDoS-F appliances.
FortiDDoS-F appliances are deployed in enterprise and service provider environments to protect against distributed denial-of-service attacks. A successful SQL injection attack could allow an authenticated attacker to extract sensitive configuration data, modify DDoS protection rules, or potentially pivot to other systems connected to the same database. The authenticated nature of the exploit somewhat limits the attack surface, but privileged users with access to the management interface could abuse this flaw.
Fortinet has not provided specific workarounds or mitigations beyond upgrading to the patched version. Organizations that cannot immediately apply the update should restrict access to the FortiDDoS-F management interface to trusted IP addresses and enforce strong authentication policies to reduce the risk of exploitation.
This disclosure is part of a broader pattern of SQL injection vulnerabilities being addressed across Fortinet's product line. In recent months, the company has patched similar flaws in FortiMail and FortiNDR, highlighting the ongoing challenge of securing complex web interfaces against injection attacks. Security teams should review their Fortinet deployments and prioritize patching for all affected products.