Zero-day vulnerability in FortiOS

Information disclosure
CVE-2025-68686

Vulnerability details

Advisory: SB2026021047 - SSL-VPN symlink persistence patch bypass in FortiOS

Vulnerable component: FortiOS

CVE-ID: CVE-2025-68686

CVSSv3 score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Description:

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by FortiOS SSL-VPN. A remote user can send a specially crafted HTTP request to bypass the patch developed for the symbolic link persistency mechanism and gain unauthorized access to sensitive information.

Note, the vulnerability is being exploited in the wild in conjunction with other vulnerabilities that provide access at filesystem level.

External links:

https://www.fortiguard.com/psirt/FG-IR-25-934

https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.