FortiDeceptor WEBUI Argument Injection Allows Arbitrary File Deletion by Privileged Attackers
Fortinet disclosed an argument injection vulnerability in FortiDeceptor's WEBUI that allows super-admin attackers with CLI access to delete sensitive files via crafted HTTP requests.
Fortinet has disclosed a medium-severity vulnerability in its FortiDeceptor deception-based threat detection platform that could allow privileged attackers to delete sensitive files through the administrative web interface. The flaw, tracked as FG-IR-26-094 and assigned CWE-88 (Improper Neutralization of Argument Delimiters in a Command), carries a CVSSv3 score of 6.0 and affects a broad range of FortiDeceptor versions spanning from 4.0 through 6.2.
The vulnerability resides in the FortiDeceptor WEBUI and is classified as an argument injection bug. To exploit it, an attacker must already hold a super-admin profile on the appliance and have command-line interface (CLI) access. From there, carefully constructed HTTP requests can be used to inject unwanted arguments into a command executed by the web interface, ultimately allowing the deletion of arbitrary files on the system. While the privileges required raise the bar for exploitation, the file deletion capability could be leveraged to disrupt services, destroy forensic evidence, or cripple the deception environment that FortiDeceptor is designed to maintain.
Fortinet assigned the vulnerability a CVSS score of 6.0 (Medium), reflecting the significant access prerequisites but also the high potential impact on system integrity. The advisory notes that the vulnerability was internally discovered and reported by Adham El karn of Fortinet's Product Security team, meaning there is no evidence of exploitation in the wild as of the initial publication date of March 10, 2026.
Patches are available for the most recent affected branch. FortiDeceptor 6.2 users must upgrade to version 6.2.1 or above. For older versions — including 6.0, 5.3, 5.2, 5.1, 5.0, 4.3, 4.2, 4.1, and 4.0 — Fortinet recommends migrating to a fixed release, as no patches for those legacy branches are provided. Version 6.1 is listed as not affected.
The advisory comes amid a steady stream of vulnerabilities in Fortinet products, which remain a common target for both state-sponsored threat actors and ransomware groups. The company's large installed base across enterprise and government networks makes even medium-severity bugs a priority for security teams. While FG-IR-26-094 is not remotely exploitable without existing credentials, its presence on the attack surface underscores the importance of limiting super-admin access and enforcing strict CLI controls.
Fortinet has published the full advisory on its PSIRT portal at FG-IR-26-094, and administrators are urged to review the affected version table and apply upgrades or migrations accordingly.