CVE-2026-25689

An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.2.0, FortiDeceptor 6.0 all versions, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 all versions, FortiDeceptor 4.2 all versions, FortiDeceptor 4.1 all versions, FortiDeceptor 4.0 all versions may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://fortiguard.fortinet.com/psirt/FG-IR-26-094	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fortinet:fortideceptor::::::::
	cpe:2.3:a:fortinet:fortideceptor:6.2.0:::::::*

History

No history.

Information

Published : 2026-03-10 18:18

Updated : 2026-03-13 19:08

NVD link : CVE-2026-25689

Mitre link : CVE-2026-25689

CVE.ORG link : CVE-2026-25689

JSON object : View

Products Affected

fortinet

fortideceptor

CWE

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

{"id": "CVE-2026-25689", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 1.2}]}, "published": "2026-03-10T18:18:37.893", "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-094", "tags": ["Vendor Advisory"], "source": "psirt@fortinet.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "psirt@fortinet.com", "description": [{"lang": "en", "value": "CWE-88"}]}], "descriptions": [{"lang": "en", "value": "An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.2.0, FortiDeceptor 6.0 all versions, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 all versions, FortiDeceptor 4.2 all versions, FortiDeceptor 4.1 all versions, FortiDeceptor 4.0 all versions may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests."}, {"lang": "es", "value": "Una neutralizaci\u00f3n incorrecta de delimitadores de argumentos en un comando ('inyecci\u00f3n de argumentos') vulnerabilidad en Fortinet FortiDeceptor 6.2.0, FortiDeceptor 6.0 todas las versiones, FortiDeceptor 5.3 todas las versiones, FortiDeceptor 5.2 todas las versiones, FortiDeceptor 5.1 todas las versiones, FortiDeceptor 5.0 todas las versiones, FortiDeceptor 4.3 todas las versiones, FortiDeceptor 4.2 todas las versiones, FortiDeceptor 4.1 todas las versiones, FortiDeceptor 4.0 todas las versiones puede permitir a un atacante privilegiado con perfil de superadministrador y acceso CLI eliminar archivos sensibles a trav\u00e9s de solicitudes HTTP manipuladas."}], "lastModified": "2026-03-13T19:08:47.447", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortideceptor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C4C32A5-DB90-425A-8036-07C22BD41135", "versionEndIncluding": "6.0.3", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:fortinet:fortideceptor:6.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B068BDA7-5FA0-48AF-9AD1-6E5DCBBBDA66"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}