Skip to main content

Fortinet FortiDeceptor CVE-2026-25690

| EUVDEUVD-2026-29549 MEDIUM
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-05-12 fortinet GHSA-mwp3-v9r9-4p9x
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
May 12, 2026 - 18:22 NVD
4.0 (MEDIUM) 4.3 (MEDIUM)
Analysis Generated
May 12, 2026 - 18:01 vuln.today
CVE Published
May 12, 2026 - 16:54 nvd
MEDIUM 4.0

DescriptionCVE.org

An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.0.0 through 6.0.2, FortiDeceptor 5.3.0 through 5.3.3, FortiDeceptor 5.2.0 through 5.2.1, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions may allow an authenticated attacker with at least read-only admin permission to read log files via HTTP crafted requests.

AnalysisAI

Argument injection in Fortinet FortiDeceptor 5.0 through 6.0.2 allows authenticated administrators with read-only permissions to read arbitrary log files via crafted HTTP requests, exposing sensitive system and audit logs. The vulnerability requires valid admin credentials but no elevated privileges, making it accessible to lower-privileged authenticated users. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

FortiDeceptor is Fortinet's deception-based threat detection platform that monitors network activity for suspicious behavior. The vulnerability stems from improper neutralization of argument delimiters (CWE-88) in command processing, likely within HTTP request handlers that construct backend commands or file system access operations. When processing HTTP requests with specially crafted parameters, the application fails to properly escape or validate delimiter characters, allowing attackers to inject additional arguments that alter command execution. This permits unauthorized file read operations on the underlying system, bypassing intended access controls. The affected versions span multiple major releases (5.0 through 6.0.2), indicating a long-standing implementation flaw in argument handling.

RemediationAI

Upgrade to patched versions: FortiDeceptor 5.2.2 or later for 5.2.x branch, 5.3.4 or later for 5.3.x branch, 6.0.3 or later for 6.0.x branch, or 7.0 or later if available. For systems that cannot be patched immediately, restrict read-only admin role assignment to only trusted, named administrators and implement network-level access controls limiting HTTP access to FortiDeceptor management interfaces to approved administrative IP ranges or VPNs. Monitor administrative access logs for unusual HTTP requests containing special characters or path traversal sequences. These compensating controls reduce exposure but do not eliminate the vulnerability; patching is the primary remediation. Consult Fortinet security advisory FG-IR-26-138 for exact patched version confirmation and release timelines.

CVE-2025-64446 CRITICAL POC
9.8 Nov 14

Fortinet FortiWeb contains a relative path traversal allowing unauthenticated attackers to execute administrative comman

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2025-58034 HIGH POC
7.2 Nov 18

Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized c

CVE-2016-1909 CRITICAL POC
9.8 Jan 15

Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0

CVE-2016-6909 CRITICAL POC
9.8 Aug 24

Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9

CVE-2026-21643 CRITICAL POC
9.8 Feb 06

A product has a SQL injection vulnerability enabling unauthenticated database compromise through improperly neutralized

CVE-2026-35616 CRITICAL POC
9.8 Apr 04

Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execut

CVE-2025-25256 CRITICAL POC
9.8 Aug 12

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in

CVE-2026-24858 CRITICAL
9.8 Jan 27

Fortinet FortiAnalyzer and FortiManager contain a critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.8

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2012-1461 MEDIUM
4.3 Mar 21

The Gzip file parser in AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5

CVE-2012-1459 MEDIUM
4.3 Mar 21

The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7,

Share

CVE-2026-25690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy