Out-of-bounds access in CAPWAP daemon

Plan PatchCVSS 8.3FG-IR-26-123May 12, 2026

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Out-of-bounds write vulnerability in the FortiOS CAPWAP (Control and Provisioning of Wireless Access Points) daemon. An authenticated user can send a specially crafted CAPWAP message that causes a memory write outside allocated bounds, potentially leading to code execution with firewall privileges. Affects FortiOS versions 7.2.0–7.2.11, 7.4.0–7.4.8, and 7.6.0–7.6.3.

What this means

What could happen

An attacker with valid credentials could trigger an out-of-bounds memory write in the CAPWAP daemon, potentially allowing code execution on your FortiOS gateway. This could allow an attacker to take full control of your firewall and modify traffic rules, intercept communications, or disrupt network connectivity.

Who's at risk

Network operators running Fortinet FortiOS firewalls (versions 7.2, 7.4, or 7.6) in environments that deploy wireless access points or CAPWAP-based wireless infrastructure. This affects organizations using FortiOS as a core network security device.

How it could be exploited

An attacker with valid FortiOS login credentials sends a specially crafted CAPWAP (Control and Provisioning of Wireless Access Points) protocol message to the firewall. The malformed message triggers an out-of-bounds write in the CAPWAP daemon memory, allowing the attacker to execute arbitrary code with firewall privileges.

Prerequisites

Valid FortiOS user credentials
Network access to FortiOS management interface or CAPWAP service port
Running version 7.2.0–7.6.3

Remotely exploitableRequires valid authentication credentialsNetwork-accessibleOut-of-bounds memory writeHigh CVSS score (8.3)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

FortiOS7.6.0 - 7.6.37.6.4+

FortiOS7.4.0 - 7.4.87.4.9+

FortiOS7.2.0 - 7.2.117.2.12+

Remediation & Mitigation

0/3

Do now

0/2

FortiOS

HARDENINGRestrict access to the FortiOS management interface to authorized administrators and trusted networks only

HARDENINGReview and enforce strong password policies for all FortiOS administrative accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

FortiOS

HOTFIXUpdate FortiOS to version 7.6.4 or later, 7.4.9 or later, or 7.2.12 or later, depending on your current branch

CVEs (1)

CVE-2025-53844

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/46d7bc01-ea7c-45f0-a947-3dddb4fe1f05

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.