FortiVoice is a unified communications and collaboration platform used by organizations for voice and video conferencing. The vulnerability allows an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests, exploiting an improper neutralization of special elements in the SQL Command.
You're affected if you use An improper neutralization of special elements used. Affected versions: 7.2.2, 7.0.7 If you don't recognise this software, you're probably not affected.
Upgrade to FortiVoice 7.0.8 or above (solution in vendor advisory)
- Immediate mitigations:
- Restrict network access to your FortiVoice instance (firewall it from the public internet)
- Audit admin account activity for suspicious access patterns
- Monitor for unauthorized token creation