Description
An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.2.0, FortiDeceptor 6.0 all versions, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 all versions, FortiDeceptor 4.2 all versions, FortiDeceptor 4.1 all versions, FortiDeceptor 4.0 all versions may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests.
Published: 2026-03-10
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privileged File Deletion due to command injection
Action: Immediate Patch
AI Analysis

Impact

FortiDeceptor fails to neutralize argument delimiters, enabling attackers with super‑admin CLI access to send crafted HTTP requests that delete sensitive files. This flaw directly compromises the integrity and confidentiality of critical system data and is classified as a command injection weakness (CWE‑88).

Affected Systems

Fortinet FortiDeceptor versions 4.0 through 6.2.0 are vulnerable, including all intermediary releases of the 4.x, 5.x, and 6.x series. The fix is delivered in version 6.2.1 and later; earlier interim releases such as 6.1.0 also contain the correction.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.0, indicating moderate severity. EPSS shows a probability of exploitation less than 1 %, which suggests the likelihood is low but not negligible, and the issue is not listed in the CISA KEV catalog. Exploitation requires possessing a super‑admin profile with CLI access and carefully crafted HTTP requests to invoke the vulnerable argument handling code.

Generated by OpenCVE AI on April 18, 2026 at 09:38 UTC.

Remediation

Vendor Solution

Upgrade to FortiDeceptor version 6.2.1 or above Upgrade to FortiDeceptor version 6.1.0 or above

OpenCVE Recommended Actions

  • Upgrade FortiDeceptor to version 6.2.1 or later to eliminate the flaw.
  • Upgrade FortiDeceptor to version 6.1.0 or later to eliminate the flaw.
  • Restrict super‑admin CLI access to only essential personnel and enforce strict role‑based controls.
  • Enable detailed logging of HTTP requests and monitor for unexpected DELETE operations on system files.

Generated by OpenCVE AI on April 18, 2026 at 09:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title Improper Neutralization of Argument Delimiters in FortiDeceptor Allows Privileged File Deletion

Fri, 13 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fortinet:fortideceptor:*:*:*:*:*:*:*:*

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.2.0, FortiDeceptor 6.0 all versions, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 all versions, FortiDeceptor 4.2 all versions, FortiDeceptor 4.1 all versions, FortiDeceptor 4.0 all versions may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests.
First Time appeared Fortinet
Fortinet fortideceptor
Weaknesses CWE-88
CPEs cpe:2.3:a:fortinet:fortideceptor:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:4.0.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:4.0.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:4.1.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:4.1.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:4.2.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:4.3.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:5.1.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:5.2.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:5.2.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:5.3.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:5.3.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:5.3.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:5.3.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:6.0.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:6.0.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortideceptor:6.2.0:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortideceptor
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:F/RL:O/RC:C'}

Subscriptions

Fortinet Fortideceptor
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-03-10T17:41:33.407Z

Reserved: 2026-02-05T08:56:55.794Z

Link: CVE-2026-25689

cve-icon Vulnrichment

Updated: 2026-03-10T17:34:38.549Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:37.893

Modified: 2026-03-13T19:08:47.447

Link: CVE-2026-25689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:45:25Z

Weaknesses