
PEACH
Un cadre d’isolation des locataires
CVE-2026-59839 is a path traversal vulnerability (CWE-22) in Fortinet FortiOS, FortiPAM, and FortiProxy that may allow a privileged authenticated attacker with physical access to delete the file system via crafted CLI commands. It was published on July 14, 2026, and reported by the UK's National Cyber Security Centre (NCSC) under responsible disclosure. Affected products include FortiOS 6.4 through 7.6.6, FortiPAM 1.0 through 1.8.0, and FortiProxy 7.0 through 7.6.5. The vulnerability carries a CVSSv3 score of 5.0 (Medium) (FortiGuard Advisory).
The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and resides in the CLI component of the affected Fortinet products. An attacker can craft specific CLI commands that traverse outside the intended restricted directory, potentially reaching and deleting files on the root file system. Exploitation requires physical access to the device and high-level (privileged) authentication, making the attack vector physical (AV:P) with high privileges required (PR:H). The specific CLI commands or parameters enabling the traversal have not been publicly detailed (FortiGuard Advisory).
Successful exploitation allows a privileged attacker with physical device access to delete arbitrary files on the root file system, resulting in high integrity and availability impacts with no confidentiality impact. This could lead to complete service disruption or destruction of the device's operating environment, effectively rendering the affected appliance inoperable. Given the physical access requirement and high privilege precondition, the risk of widespread or remote exploitation is significantly limited (FortiGuard Advisory).
../ or equivalent encoded variants) to reference file system paths outside the intended restricted directory.../, %2e%2e/) or targeting root file system paths outside normal operational directories.Fortinet has released patched versions and recommends upgrading as follows: FortiOS to 7.6.7 or above (7.6.x), 7.4.10 or above (7.4.x), or migrating from 7.2, 7.0, and 6.4 to a fixed release; FortiPAM to 1.8.1 or above (1.8.x), upcoming 1.7.3 or above (1.7.x), or migrating from all earlier versions; FortiProxy to 7.6.6 or above (7.6.x), 7.4.14 or above (7.4.x), or migrating from 7.2 and 7.0. A virtual patch named "FG-VD-60139.0day" is available in FMWP database update 26.021 for those unable to upgrade immediately. Organizations should also enforce strict physical access controls to limit who can interact with affected devices (FortiGuard Advisory).
The vulnerability was reported by the UK's National Cyber Security Centre (NCSC) under responsible disclosure, indicating coordinated handling. Security news outlets including CyberSecurityNews, GBHackers, and CyberPress covered the broader Fortinet patch release addressing seven vulnerabilities, of which CVE-2026-59839 was one. Community reaction has been measured given the medium severity rating and the physical access requirement, with no significant alarm or controversy noted (CyberSecurityNews, GBHackers).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."