Fortinet Discloses Argument Injection Vulnerability in FortiDeceptor Web UI
Fortinet has disclosed an argument injection vulnerability (FG-IR-26-138) in the FortiDeceptor web interface that allows authenticated read-only admins to read arbitrary log files via crafted HTTP requests.
Fortinet on May 12 disclosed a medium-severity argument injection vulnerability in the web administrative interface of FortiDeceptor, the company's deception-based threat detection appliance. The flaw, tracked as FG-IR-26-138, carries a CVSSv3 base score of 4.0 and stems from improper neutralization of argument delimiters in a command (CWE-88).
An authenticated attacker with at least read-only admin privileges can exploit the vulnerability by sending specially crafted HTTP requests to the affected WEB UI. This allows the attacker to read arbitrary log files from the appliance's filesystem, potentially exposing sensitive operational data, network telemetry, or reconnaissance results gathered by the deception platform.
The vulnerability affects multiple older branches of FortiDeceptor: versions 6.0.0 through 6.0.2, 5.3.0 through 5.3.3, 5.2.0 through 5.2.1, all versions of 5.1, and all versions of 5.0. The current and recent releases — FortiDeceptor 6.1, 6.2, 6.3, 4.3, and 4.2 — are listed as not affected.
Fortinet has not released a dedicated patch for the vulnerable versions, instead directing administrators to migrate to a fixed release. No workarounds or mitigations were provided beyond the upgrade path. Fortinet's Product Security team, specifically researcher Adham El karn, internally discovered and reported the vulnerability.
While the CVSS score is moderate and exploitation requires authentication, the exposure of log files in a deception platform is particularly concerning. FortiDeceptor is designed to detect attackers by luring them into decoy environments and monitoring their behavior; log files may contain detailed adversary activity, red team engagement data, or network topology information that could aid an attacker in evading detection or launching more targeted attacks against the real network.
Fortinet customers running affected FortiDeceptor versions should plan an immediate migration to a supported fixed release. As with all Fortinet advisory disclosures, the company has not reported any active exploitation of this vulnerability in the wild. However, the principle of least privilege should be enforced on the administrative interface, and network access to the WEB UI should be restricted to trusted management hosts.
This disclosure follows a broader pattern of Fortinet regularly addressing post-authentication vulnerabilities in its security appliances. While often scored as low to medium severity, such flaws underscore the importance of prompt patch management even for authenticated-only issues, particularly in appliances that serve critical detection and response functions within enterprise security architectures.