CVE-2025-61624
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4,...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- September 29, 2025
- Published Date
- April 14, 2026
- Last Updated
- May 12, 2026
- Vendor
- Fortinet
- Product
- FortiOS, FortiProxy, FortiSwitchManager, FortiPAM
- Description
- An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiPAM 1.7.0, FortiPAM 1.6 all versions, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.11, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSwitchManager 7.2.0 through 7.2.7, FortiSwitchManager 7.0.0 through 7.0.6 may allow an authenticated attacker with admin profile and at least read-write permissions to write or delete arbitrary files via specific CLI commands.
CVSS Scores
CVSS v3.1
5.4 - MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C
SSVC Information
- Exploitation
- none
- Technical Impact
- partial
Exploit Status
- Exploited in the Wild
- Yes (2026-04-14 04:00:00 UTC) Source
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2026-04-14 04:00:00 UTC |
Timeline
-
CVE ID Reserved
-
Added to KEVIntel
-
CVE Published to Public