Format String Privilege Escalation in FortiAnalyzer/Manager 7.0-7.6.4
CVE-2025-68648 Published on March 10, 2026

A use of externally-controlled format string vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow an attacker to escalate its privileges via specially crafted requests.

NVD

Vulnerability Analysis

CVE-2025-68648 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Use of Externally-Controlled Format String

The software uses a function that accepts a format string as an argument, but the format string originates from an external source.


Products Associated with CVE-2025-68648

Want to know whenever a new CVE is published for Fortinet products? stack.watch will email you.

Fortinet Fortimanagercloud
 
Fortinet Fortianalyzer
 
Fortinet FortiManager
 
Fortinet Fortianalyzercloud
 

Affected Versions

Fortinet FortiManager Cloud: Fortinet FortiAnalyzer: Fortinet FortiManager: Fortinet FortiAnalyzer Cloud: