FortiClientEMS 7.2 - Pervasive SQL injection in DAS component

nlict · ‎04-10-2024

Hi Support,

Got a question regarding the Android ForticlientEMS 7.2.2.

On 12 march we saw a message regarding ForticlientEMS 7.2.2 having a vulnerability. (See link under)

All of our EMS client have been updated to the latest version 7.2.4.

Now is my question, when will the Android app be updated to the latest version because from what i can see is that this version on the App store is 7.2.2.0127.

And second question, does this vulnerability also apply to the Android FortiEMS?

Link:

PSIRT | FortiGuard Labs

FortiClient - Apps on Google Play

Kind regards,

Dennis Zaan

johnathan · ‎04-10-2024

Please note, this vulnerability only affects the FortiClient EMS server, not the endpoints themselves. If your EMS server is on 7.2.3 or above you are fine.

"Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth."

View solution in original post

johnathan · ‎04-10-2024

Please note, this vulnerability only affects the FortiClient EMS server, not the endpoints themselves. If your EMS server is on 7.2.3 or above you are fine.

"Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth."

AEK · ‎04-10-2024

There is no SQL server on FortiClient (client side), there is only on FortiClient EMS (server side) and you have already patched it to the safe version.

AEK

nlict · ‎04-10-2024

**bleep** i feel stupid.. thanks guys!