CVE-2025-68649 | THREATINT

Description

An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged attacker to delete files from the underlying filesystem via crafted CLI requests.

PUBLISHED Reserved 2025-12-22 | Published 2026-04-14 | Updated 2026-04-14 | Assigner fortinet

MEDIUM: 5.4CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C

Problem types

Escalation of privilege

Product status

Default status

unaffected

7.6.2 (semver)

affected

7.4.1 (semver)

affected

7.2.1 (semver)

affected

7.0.1 (semver)

affected

Default status

unaffected

7.6.0 (semver)

affected

7.4.0 (semver)

affected

7.2.0 (semver)

affected

7.0.0 (semver)

affected

Default status

unaffected

7.6.0 (semver)

affected

7.4.0 (semver)

affected

7.2.0 (semver)

affected

7.0.0 (semver)

affected

Default status

unaffected

7.6.2

affected

7.4.1 (semver)

affected

7.2.1 (semver)

affected

7.0.1 (semver)

affected

References

fortiguard.fortinet.com/psirt/FG-IR-26-120

cve.org (CVE-2025-68649)

nvd.nist.gov (CVE-2025-68649)

Download JSON