PSIRTPath traversal vulnerability in CLI
Summary
Multiple relative path traversal vulnerabilities [CWE-23] in FortiMail, FortiVoice, FortiRecorder, FortiCamera & FortiNDR may allow a privileged attacker to read files from the underlying filesystem via crafted CLI requests.
| Version | Affected | Solution |
|---|---|---|
| FortiCamera 2.2 | Not affected | Not Applicable |
| FortiCamera 2.1 | 2.1 all versions | Migrate to a fixed release |
| FortiCamera 2.0 | 2.0.0 | Upgrade to upcoming 2.0.1 or above |
| FortiCamera 1.1 | 1.1 all versions | Migrate to a fixed release |
| FortiCamera 1.0 | 1.0 all versions | Migrate to a fixed release |
| FortiMail 7.6 | 7.6.0 through 7.6.1 | Upgrade to 7.6.2 or above |
| FortiMail 7.4 | 7.4.0 through 7.4.3 | Upgrade to 7.4.4 or above |
| FortiMail 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiMail 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiMail 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiNDR 7.6 | 7.6.0 through 7.6.1 | Upgrade to 7.6.2 or above |
| FortiNDR 7.4 | 7.4.0 through 7.4.6 | Upgrade to 7.4.7 or above |
| FortiNDR 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiNDR 7.1 | 7.1 all versions | Migrate to a fixed release |
| FortiNDR 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiNDR 1.5 | Not affected | Not Applicable |
| FortiRecorder 7.2 | 7.2.0 through 7.2.1 | Upgrade to 7.2.2 or above |
| FortiRecorder 7.0 | 7.0.0 through 7.0.4 | Upgrade to 7.0.5 or above |
| FortiRecorder 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiVoice 7.2 | Not affected | Not Applicable |
| FortiVoice 7.0 | 7.0.0 through 7.0.3 | Upgrade to 7.0.5 or above |
| FortiVoice 6.4 | 6.4.0 through 6.4.9 | Upgrade to 6.4.10 or above |
| FortiVoice 6.0 | 6.0 all versions | Migrate to a fixed release |
Acknowledgement
Internally discovered and reported by Théo Leleu of Fortinet Product Security team.Timeline
2025-08-12: Initial publication2025-08-13: FortiNDR is fixed in 7.6.2