Medium severity6.0NVD Advisory· Published Apr 14, 2026· Updated Apr 22, 2026

CVE-2025-68649

Description

An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged attacker to delete files from the underlying filesystem via crafted CLI requests.

Affected products

Fortinet/Fortianalyzer
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
Range: >=7.0.0,<7.4.8
Fortinet/Fortianalyzer Cloud
cpe:2.3:a:fortinet:fortianalyzer_cloud:*:*:*:*:*:*:*:*
Range: >=7.0.0,<7.4.8
Fortinet/Fortimanager
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
Range: >=7.0.0,<7.4.8
Fortinet/Fortimanager Cloud
cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*
Range: >=7.0.0,<7.4.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

fortiguard.fortinet.com/psirt/FG-IR-26-120nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.390
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000