Cyber Posture

CVE-2022-29059

Low

Published: 14 March 2025

Published
14 March 2025
Modified
24 July 2025
KEV Added
Patch
CVSS Score 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0011 28.6th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

Security Summary

CVE-2022-29059 is an SQL injection vulnerability (CWE-89) stemming from improper neutralization of special elements in SQL commands. It affects FortiWeb versions 7.0.1 and below, 6.4.2 and below, 6.3.20 and below, and 6.2.7 and below, specifically targeting the log database through crafted string parameters.

A privileged attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables execution of arbitrary SQL commands on the log database, resulting in low integrity impact (CVSSv3.1 score of 2.7: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

The FortiGuard advisory FG-IR-22-140 provides details on this issue, including recommended mitigations and patches for affected FortiWeb versions.

Details

CWE(s)
CWE-89

Affected Products

fortinet
fortiweb
6.2.3 — 6.2.7 · 6.3.0 — 6.3.18 · 6.4.0 — 6.4.2

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

SQL injection in public-facing FortiWeb web app directly maps to T1190; arbitrary SQL on log DB enables stored data manipulation (T1565.001) via integrity impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References