An Out-Of-Bounds Write vulnerability [CWE-787] in FortiOS capwap daemon may allow an attacker controlling an authenticated FortiAP FortiExtender or FortiSwitch to gain execution privileges on the FortiGate device
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.8 | Upgrade to 7.4.9 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
Workarounds : Disable capwap daemon :
“`config global
config system global
set wireless-controller disable
end
**Post-Change Configuration Validation**show full | grep wireless-controller
set wireless-controller disable
set wireless-controller-port 5246
show full | grep fortiextender
set fortiextender disable
set fortiextender-data-port 25246
set fortiextender-discovery-lockdown disable
set fortiextender-provision-on-authorization disable
set fortiextender-vlan-mode disable
“`
| IR Number | FG-IR-26-123 |
| Published Date | May 12, 2026 |
| Component | OTHERS |
| Severity | High |
| Discovered | Internal |
| Attack Type | Authenticated |
| Known Exploited | No |
| CVSSv3 Score | 8.3 |
| Impact | Execute unauthorized code or commands |
| CVE ID | CVE-2025-53844Workarounds : Disable capwap daemon : “`config global config system global set wireless-controller disable end **Post-Change Configuration Validation**show full | grep wireless-controller set wireless-controller disable set wireless-controller-port 5246 show full | grep fortiextender set fortiextender disable set fortiextender-data-port 25246 set fortiextender-discovery-lockdown disable set fortiextender-provision-on-authorization disable set fortiextender-vlan-mode disable “` |
admin
Author at The Sharing KH
Knowledge
News
Knowledge