Path Traversal in CLI
MonitorCVSS 5.4FG-IR-26-120Apr 14, 2026
Fortinet
IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries
Attack path
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
A path traversal vulnerability in the FortiAnalyzer, FortiAnalyzer Cloud, FortiManager, and FortiManager Cloud command-line interface (CLI) allows an authenticated administrative user to delete arbitrary files on the system by supplying specially crafted input to CLI commands. The vulnerability enables file deletion outside the intended directory scope.
What this means
What could happen
An administrator with CLI access could delete critical system or configuration files, causing service outages, data loss, or system instability. This could disrupt your ability to manage firewalls and network monitoring if FortiAnalyzer or FortiManager services fail.
Who's at risk
Organizations running FortiAnalyzer, FortiAnalyzer Cloud, FortiManager, or FortiManager Cloud for network device and firewall management should evaluate if versions 7.0–7.6.4 are deployed. This affects network administrators and security operations teams that rely on these management platforms for firewall configuration, log analysis, and network monitoring across your organization.
How it could be exploited
An attacker with valid administrative credentials and CLI access to FortiAnalyzer, FortiAnalyzer Cloud, FortiManager, or FortiManager Cloud could execute malicious commands containing path traversal sequences (e.g., "../../../") to delete files outside the intended directories, including critical system files. The attack requires only crafting a CLI command with path traversal characters and submitting it through the CLI interface.
Prerequisites
- Valid administrative user credentials
- Access to the FortiAnalyzer, FortiAnalyzer Cloud, FortiManager, or FortiManager Cloud CLI interface
- High privilege level (administrative role)
Requires high privilege (admin) credentialsLow attack complexityLocal access requiredCould lead to system file deletion and service disruption
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (16)
16 with fix
ProductAffected VersionsFix Status
FortiAnalyzer7.6.0 - 7.6.47.6.5+
FortiAnalyzer7.4.0 - 7.4.77.4.8+
FortiAnalyzer7.2 all versionsMigrate to fixed release
FortiAnalyzer7.0 all versionsMigrate to fixed release
FortiAnalyzer Cloud7.6.0 - 7.6.47.6.5+
Remediation & Mitigation
0/7
Do now
0/2FortiAnalyzer
HARDENINGRestrict CLI access to FortiAnalyzer, FortiAnalyzer Cloud, FortiManager, and FortiManager Cloud to only authorized administrative users
All products
HARDENINGReview and audit recent CLI command history on affected management platforms for suspicious file deletion commands
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
FortiAnalyzer
HOTFIXUpdate FortiAnalyzer to version 7.6.5 or later, or 7.4.8 or later if on 7.4.x branch
HOTFIXUpdate FortiAnalyzer Cloud to version 7.6.5 or later, or 7.4.8 or later if on 7.4.x branch
HOTFIXFor FortiAnalyzer and FortiManager on versions 7.0 or 7.2 (end-of-life), migrate to a supported version (7.4.8+ or 7.6.5+)
FortiManager
HOTFIXUpdate FortiManager to version 7.6.5 or later, or 7.4.8 or later if on 7.4.x branch
HOTFIXUpdate FortiManager Cloud to version 7.6.5 or later, or 7.4.8 or later if on 7.4.x branch
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c426661e-0fd0-4c6f-89da-b7ef267d02cbGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.