CVE-2026-25689

MEDIUM

Fortinet FortiDeceptor - Command Injection

Title source: llm

Description

An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.2.0, FortiDeceptor 6.0 all versions, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 all versions, FortiDeceptor 4.2 all versions, FortiDeceptor 4.1 all versions, FortiDeceptor 4.0 all versions may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests.

References (1)

[Various Sources] https://fortiguard.fortinet.com/psirt/FG-IR-26-094

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 17.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-88

Status published

Products (2)

fortinet/fortideceptor 6.2.0

fortinet/fortideceptor 4.0.0 - 6.0.3

Published Mar 10, 2026

Tracked Since Mar 11, 2026