Information disclosure in FortiOS - CVE-2025-68686
Published: February 10, 2026
Vulnerability identifier: #VU122538
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2025-68686
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: Fortinet, Inc
Affected software:
FortiOS
FortiOS
Detailed vulnerability description
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by FortiOS SSL-VPN. A remote user can send a specially crafted HTTP request to bypass the patch developed for the symbolic link persistency mechanism and gain unauthorized access to sensitive information.
Note, the vulnerability is being exploited in the wild in conjunction with other vulnerabilities that provide access at filesystem level.
How to mitigate CVE-2025-68686
Install updates from vendor's website.