#VU122538 Information disclosure in FortiOS - CVE-2025-68686
Published: February 10, 2026
Vulnerability identifier: #VU122538
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2025-68686
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
FortiOS
FortiOS
Software vendor:
Fortinet, Inc
Fortinet, Inc
Description
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by FortiOS SSL-VPN. A remote user can send a specially crafted HTTP request to bypass the patch developed for the symbolic link persistency mechanism and gain unauthorized access to sensitive information.
Note, the vulnerability is being exploited in the wild in conjunction with other vulnerabilities that provide access at filesystem level.
Remediation
Install updates from vendor's website.