VYPR
advisoryPublished Jul 14, 2026· 1 source

Fortinet Devices Vulnerable to Root File System Deletion via CLI Path Traversal

A critical path traversal vulnerability in Fortinet's FortiOS, FortiPAM, FortiProxy, and FortiSwitch Manager allows authenticated attackers with physical access to delete the root file system via crafted CLI commands.

Fortinet has disclosed a significant path traversal vulnerability, identified as CWE-22, affecting multiple of its network security and management products. The flaw, detailed in PSIRT advisory FG-IR-26-151, allows a privileged authenticated attacker with physical access to a vulnerable device to execute crafted command-line interface (CLI) commands that can delete the entire root file system.

The vulnerability specifically impacts several versions of FortiOS, FortiPAM, FortiProxy, and FortiSwitch Manager. For FortiOS, versions 7.6.0 through 7.6.6, 7.4.0 through 7.4.9, and all versions of 7.2, 7.0, and 6.4 are affected. FortiPAM versions 1.8.0, 1.7.0 through 1.7.2, and all versions of 1.6, 1.5, 1.4, 1.3, 1.2, 1.1, and 1.0 are also vulnerable. In the FortiProxy line, versions 7.6.0 through 7.6.5 and 7.4 through 7.4.13 are impacted, along with all versions of 7.2 and 7.0. The advisory provides a detailed table outlining affected versions and the recommended upgrade paths.

Exploitation requires an attacker to possess administrative credentials and physical access to the targeted device. This combination of requirements limits the attack surface, but the potential impact—complete deletion of the root file system—is severe, leading to a total denial of service and potential data loss. The vulnerability has been assigned a CVSSv3 score of 5.0, categorizing it as moderate in severity, though the impact could be considered high given the nature of the potential damage.

Fortinet recommends immediate upgrades to fixed versions for all affected products. For FortiOS, users should upgrade to 7.6.7 or later, 7.4.10 or later, or migrate to a fixed release for older versions. Similarly, FortiPAM and FortiProxy users are advised to upgrade to specific newer versions or migrate to fixed releases. Fortinet also offers an upgrade tool to assist customers in navigating the recommended upgrade paths.

In addition to the recommended patches, Fortinet has made a virtual patch available through its FortiManager Web Protection (FMWP) database update 26.021. This virtual patch, named "FG-VD-60139.0day," can provide immediate protection against exploitation while administrators work to apply the full software updates.

The disclosure of this vulnerability highlights the ongoing risks associated with improper input validation, particularly in command-line interfaces that manage critical system functions. Path traversal vulnerabilities, while a well-understood class of flaws, continue to appear in complex network appliances, underscoring the need for rigorous security testing throughout the development lifecycle.

Fortinet has credited the UK's National Cyber Security Centre (NCSC) for reporting this vulnerability under a responsible disclosure program. The timeline indicates initial publication on July 14, 2026, with no mention of active exploitation in the wild at the time of disclosure.

Synthesized by Vypr AI