CVE-2026-25689

Summary

An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.2.0, FortiDeceptor 6.0 all versions, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 all versions, FortiDeceptor 4.2 all versions, FortiDeceptor 4.1 all versions, FortiDeceptor 4.0 all versions may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiDeceptor6.2.0affected
FortinetFortiDeceptor6.0.0 <= 6.0.3affected
FortinetFortiDeceptor5.3.0 <= 5.3.4affected
FortinetFortiDeceptor5.2.0 <= 5.2.2affected
FortinetFortiDeceptor5.1.0affected
FortinetFortiDeceptor5.0.0affected
FortinetFortiDeceptor4.3.0affected
FortinetFortiDeceptor4.2.0affected
FortinetFortiDeceptor4.1.0 <= 4.1.1affected
FortinetFortiDeceptor4.0.0 <= 4.0.2affected

Weaknesses

  • CWE-88: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References