CVE-2025-68686

CWE-200 — Information Exposure5 documents5 sources

Severity

5.9MEDIUM

EPSS

0.0%

top 91.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios

Timeline

PublishedFeb 10

Description

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions may allow a remote unauthenticated attacker to bypass the patch developed for the symbolic link persistency mechanism observed in some post-exploit cases, via crafted HTTP requests. An attacker would need first to have compromised the product via anothe…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶NVDfortinet/fortios6.4.0 — 7.4.7+1

▶CVEListV5fortinet/fortios7.6.0 — 7.6.1+4

🔴Vulnerability Details

CVEList

CVE-2025-68686: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] vulnerability in Fortinet FortiOS 7↗2026-02-10

▶

GHSA

GHSA-839g-m33x-3w78: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] vulnerability in Fortinet FortiOS 7↗2026-02-10

▶

📋Vendor Advisories

Fortinet

SSL-VPN Symlink Persistence Patch Bypass↗2026-02-10

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68686 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶