An Argument Injection vulnerability (CWE-88, CVE-2026-25689, CVSSv3 6.0) in FortiDeceptor's administrative WEBUI allows a privileged attacker with super-admin CLI access to delete sensitive files via crafted HTTP requests. Affected versions include FortiDeceptor 6.2.0, all versions of 6.0, 5.3, 5.2, 5.1, 5.0, 4.3, 4.2, 4.1, and 4.0. The solution is to upgrade to FortiDeceptor 6.2.1 or migrate all other affected versions to a fixed release.
PSIRT Arbitrary file deletion in administrative interface Summary An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability [CWE-88] in FortiDeceptor WEBUI may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests. Version Affected Solution FortiDeceptor 6.2 6.2.0 Upgrade to 6.2.1 or above FortiDeceptor 6.1 Not affected Not Applicable FortiDeceptor 6.0 6.0 all versions Migrate to a fixed release FortiDeceptor 5.3 5.3 all versions Migrate to a fixed release FortiDeceptor 5.2 5.2 all versions Migrate to a fixed release FortiDeceptor 5.1 5.1 all versions Migrate to a fixed release FortiDeceptor 5.0 5.0 all versions Migrate to a fixed release FortiDeceptor 4.3 4.3 all versions Migrate to a fixed release FortiDeceptor 4.2 4.2 all versions Migrate to a fixed release FortiDeceptor 4.1 4.1 all versions Migrate to a fixed release FortiDeceptor 4.0 4.0 all versions Migrate to a fixed release Acknowledgement Internally discovered and reported by Adham El karn of Fortinet Product Security team. Timeline 2026-03-10: Initial publication IR Number FG-IR-26-094 Published Date Mar 10, 2026 Component GUI Severity Medium CVSSv3 Score 6.0 Impact Execute unauthorized code or commands CVE ID CVE-2026-25689 Download CVRF CSAF