Medium

Path Traversal in Fortinet CLI Components

IdentifiersCVE-2025-61624CWE-22· Improper Limitation of a Pathname…

CVE-2025-61624 is a path traversal vulnerability in CLI components of multiple Fortinet products, including FortiOS 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, all 7.2, 7.0, and 6.4 versions; FortiPAM 1.7.0 and all 1.6 through 1.0 versions; FortiProxy 7.6.0 through 7.6.4, 7.4.0 through 7.4.11, and all 7.2 and 7.0 versions; and FortiSwitchManager 7.2.0 through 7.2.7 and 7.0.0 through 7.0.6. The flaw is classified as Improper Limitation of a Pathname to a Restricted Directory (CWE-22). According to the provided content, an authenticated attacker with an admin profile and at least read-write permissions can exploit specific CLI commands to write or delete arbitrary files outside intended directories. The content also notes Fortinet tracked this issue as FG-IR-26-122 and that it has been reported as exploited in the wild.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary file write or file deletion on the affected appliance through vulnerable CLI functionality. Because the attacker must already hold an authenticated administrative profile with at least read-write permissions, the direct impact is post-authentication manipulation of the underlying filesystem. The provided context further states the flaw can enable privilege escalation and was likely chained with another issue in observed attacks, indicating it may be used to deepen compromise, alter system state, or facilitate follow-on actions once initial privileged access is obtained.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by tightly restricting CLI access to trusted administrators only, minimizing the number of accounts with admin profiles and read-write permissions, enforcing least privilege, and monitoring for suspicious use of the affected CLI commands. Because exploitation requires authenticated internal or administrative access, additional mitigations include limiting management-plane reachability, segmenting management interfaces, reviewing administrative account activity, and auditing for unexpected file creation or deletion on affected systems. The content does not provide any vendor-specific workaround beyond patching.

Remediation

Patch, then assume compromise.

Apply Fortinet security updates that remediate CVE-2025-61624 in the affected product branches. The vulnerable versions listed in the provided content are affected through FortiOS 7.6.4 and 7.4.9, all FortiOS 7.2/7.0/6.4 versions, FortiPAM 1.7.0 and all earlier 1.x branches, FortiProxy 7.6.4 and 7.4.11 and all 7.2/7.0 versions, and FortiSwitchManager 7.2.7 and 7.0.6. Administrators should upgrade to vendor-fixed releases for their specific product line and branch as provided by Fortinet advisories.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FortinetFortiosoperating_system

FortinetFortipamoperating_system

FortinetFortiproxyapplication

FortinetFortiswitchmanagerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

bleeping computerNews

Jun 16, 2026

Critical Fortinet FortiSandbox flaws now exploited in attacks

A medium-severity path traversal vulnerability in Fortinet products that can let authenticated attackers escalate privileges and was reported as exploited in the wild.

cyber security newsNews

Apr 14, 2026

Fortinet Patches 11 Vulnerabilities Across FortiSandbox, FortiOS, FortiAnalyzer, and FortiManager

A medium-severity path traversal vulnerability affecting CLI components in FortiOS, FortiPAM, FortiProxy, and FortiSwitchManager, requiring authenticated internal access.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-61624

NVD

nvd.nist.gov/vuln/detail/CVE-2025-61624

MITRE CWE · CWE-22

Improper Limitation of a Pathname to a…

Vendor Advisory

fortiguard.fortinet.com/psirt/FG-IR-26-122

cert-portal.siemens.com

cert-portal.siemens.com/productcert/html/ssa-975644.html