Heap-based buffer overflow in cw_acd daemon

Plan Patch7.4FG-IR-25-084Jan 13, 2026

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Heap-based buffer overflow in the cw_acd daemon (CAPWAP protocol handler) in FortiOS and FortiSwitchManager. The vulnerability exists in multiple versions of FortiOS (6.4 through 7.6.3) and FortiSwitchManager (7.0 through 7.2.6). An attacker can send a malformed CAPWAP packet to trigger memory corruption and execute arbitrary code on the device.

What this means

What could happen

An attacker on the network could exploit a buffer overflow in the CAPWAP protocol handler to run arbitrary code on your FortiOS firewall or FortiSwitchManager, potentially gaining control of your network security appliance and the traffic passing through it.

Who's at risk

This affects organizations running Fortinet FortiOS firewalls or FortiSwitchManager devices, particularly those with CAPWAP enabled for centralized wireless access point management. Water utilities and electric utilities using these firewalls as perimeter security or network switches are at risk.

How it could be exploited

An attacker sends a specially crafted CAPWAP packet to the cw_acd daemon running on the FortiOS firewall or FortiSwitchManager. The malformed packet causes a heap buffer overflow, allowing the attacker to overwrite memory and execute arbitrary code with the privileges of the daemon process.

Prerequisites

Network access to the FortiOS/FortiSwitchManager device on the CAPWAP protocol port (typically UDP 5246 or 5247)
Device running a vulnerable FortiOS or FortiSwitchManager version
CAPWAP protocol enabled on the device (commonly used for centralized management of wireless access points)

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (7.4)High EPSS score (>10%)Affects critical network infrastructure devices

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

FortiOS7.6.0 - 7.6.37.6.4+

FortiOS7.4.0 - 7.4.87.4.9+

FortiOS7.2.0 - 7.2.117.2.12+

FortiOS7.0.0 - 7.0.177.0.18+

FortiOS6.4 all versionsMigrate to fixed release

FortiSwitchManager7.2.0 - 7.2.67.2.7+

FortiSwitchManager7.0.0 - 7.0.57.0.6+

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDRestrict network access to CAPWAP ports (UDP 5246, 5247) to only trusted access point management networks

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

FortiOS

HOTFIXUpdate FortiOS 7.6 to version 7.6.4 or later

HOTFIXUpdate FortiOS 7.4 to version 7.4.9 or later

HOTFIXUpdate FortiOS 7.2 to version 7.2.12 or later

HOTFIXUpdate FortiOS 7.0 to version 7.0.18 or later

HOTFIXMigrate FortiOS 6.4 devices to a fixed release version (7.0.18, 7.2.12, 7.4.9, or 7.6.4 and later)

FortiSwitchManager

HOTFIXUpdate FortiSwitchManager 7.2 to version 7.2.7 or later

HOTFIXUpdate FortiSwitchManager 7.0 to version 7.0.6 or later

CVEs (1)

CVE-2025-25249

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/45ee4bf8-f743-450a-8561-312b5d7710bd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.