CVE-2026-25689

MEDIUM

Fortinet FortiDeceptor - Command Injection

Title source: llm

Description

An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.2.0, FortiDeceptor 6.0 all versions, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 all versions, FortiDeceptor 4.2 all versions, FortiDeceptor 4.1 all versions, FortiDeceptor 4.0 all versions may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests.

References (1)

[Various Sources] https://fortiguard.fortinet.com/psirt/FG-IR-26-094

Scores

CVSS v3 6.5

EPSS 0.0012

EPSS Percentile 31.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Classification

CWE

CWE-88

Status draft

Timeline

Published Mar 10, 2026

Tracked Since Mar 11, 2026