CVE-2025-68649

CVE-2025-68649 PUBLISHED

Assigner: fortinet
Reserved: 22.12.2025 Published: 14.04.2026 Updated: 14.04.2026

An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged attacker to delete files from the underlying filesystem via crafted CLI requests.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
CVSS Score: 5.4

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Fortinet
Product	FortiManager Cloud
Versions	Default: unaffected affected from 7.6.2 to 7.6.4 (incl.) affected from 7.4.1 to 7.4.7 (incl.) affected from 7.2.1 to 7.2.12 (incl.) affected from 7.0.1 to 7.0.16 (incl.)

Vendor

Fortinet

Product

FortiManager Cloud

Versions

Default: unaffected

affected from 7.6.2 to 7.6.4 (incl.)
affected from 7.4.1 to 7.4.7 (incl.)
affected from 7.2.1 to 7.2.12 (incl.)
affected from 7.0.1 to 7.0.16 (incl.)

Vendor	Fortinet
Product	FortiManager
Versions	Default: unaffected affected from 7.6.0 to 7.6.4 (incl.) affected from 7.4.0 to 7.4.7 (incl.) affected from 7.2.0 to 7.2.12 (incl.) affected from 7.0.0 to 7.0.16 (incl.)

Vendor

Fortinet

Product

FortiManager

Versions

Default: unaffected

affected from 7.6.0 to 7.6.4 (incl.)
affected from 7.4.0 to 7.4.7 (incl.)
affected from 7.2.0 to 7.2.12 (incl.)
affected from 7.0.0 to 7.0.16 (incl.)

Vendor	Fortinet
Product	FortiAnalyzer
Versions	Default: unaffected affected from 7.6.0 to 7.6.4 (incl.) affected from 7.4.0 to 7.4.7 (incl.) affected from 7.2.0 to 7.2.12 (incl.) affected from 7.0.0 to 7.0.16 (incl.)

Vendor

Fortinet

Product

FortiAnalyzer

Versions

Default: unaffected

affected from 7.6.0 to 7.6.4 (incl.)
affected from 7.4.0 to 7.4.7 (incl.)
affected from 7.2.0 to 7.2.12 (incl.)
affected from 7.0.0 to 7.0.16 (incl.)

Vendor	Fortinet
Product	FortiAnalyzer Cloud
Versions	Default: unaffected Version 7.6.2 is affected affected from 7.4.1 to 7.4.7 (incl.) affected from 7.2.1 to 7.2.12 (incl.) affected from 7.0.1 to 7.0.16 (incl.)

Vendor

Fortinet

Product

FortiAnalyzer Cloud

Versions

Default: unaffected

Version 7.6.2 is affected
affected from 7.4.1 to 7.4.7 (incl.)
affected from 7.2.1 to 7.2.12 (incl.)
affected from 7.0.1 to 7.0.16 (incl.)

Solutions

Upgrade to FortiManager Cloud version 7.6.5 or above Upgrade to FortiManager Cloud version 7.4.8 or above Upgrade to FortiManager version 7.6.5 or above Upgrade to FortiManager version 7.4.8 or above Upgrade to FortiAnalyzer version 7.6.5 or above Upgrade to FortiAnalyzer version 7.4.8 or above Upgrade to FortiAnalyzer Cloud version 7.6.5 or above Upgrade to FortiAnalyzer Cloud version 7.4.8 or above

References

Problem Types

Escalation of privilege CWE