CVE-2026-25690 Fortinet CVE debrief

Who should care

Organizations running FortiDeceptor deception technology for threat detection. Security teams managing FortiDeceptor deployments with multiple administrative users. Compliance officers concerned with log file confidentiality and access controls. Incident response teams investigating potential information disclosure in deception environments.

Technical summary

The vulnerability exists in FortiDeceptor's HTTP request processing for log file retrieval functionality. The application fails to properly sanitize argument delimiters when constructing commands to access log files. An authenticated user with read-only administrative privileges can inject additional arguments through crafted HTTP requests, causing the system to read log files outside intended scope. The attack requires network access to the management interface and valid credentials with at least read-only admin permissions. The CVSS 3.1 score of 4.3 reflects limited confidentiality impact with no integrity or availability effects.

Defensive priority

medium

Recommended defensive actions

• Review FortiDeceptor admin accounts and remove unnecessary read-only admin privileges
• Apply Fortinet security updates when available per vendor advisory
• Monitor HTTP request logs for anomalous patterns targeting log file endpoints
• Implement network segmentation to limit FortiDeceptor management interface exposure
• Audit log file access patterns for unauthorized read operations

Evidence notes

Vulnerability confirmed via NVD analysis with CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. Fortinet PSIRT advisory FG-IR-26-138 provides vendor confirmation. Affected versions span FortiDeceptor 5.0.x, 5.1.x, 5.2.0-5.2.1, 5.3.0-5.3.3, and 6.0.0-6.0.2.

Official resources