OS command injection in CLI

MonitorCVSS 6.5FG-IR-26-133May 12, 2026

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

OS command injection vulnerability in FortiAP and FortiAP-W2 CLI allows an administrator or CLI-authenticated user to execute arbitrary operating system commands on the wireless access point. The vulnerability exists in versions: FortiAP 6.4 (all), 7.0 (all), 7.2 (all), 7.4.0-7.4.5, and 7.6.0-7.6.2; FortiAP-W2 7.0 (all), 7.2 (all), and 7.4.0-7.4.4.

What this means

What could happen

An administrator with high privileges could execute arbitrary system commands on the wireless access point, potentially compromising network integrity, disrupting wireless services, or escalating to other systems on your network.

Who's at risk

Network and wireless teams operating Fortinet FortiAP or FortiAP-W2 wireless access points, especially those in version 6.4, 7.0, 7.2, or early 7.4/7.6 releases. Affects enterprise and utility wireless deployments used for facility management, SCADA communications, or guest/operations networks.

How it could be exploited

An attacker with administrative credentials or direct access to the management CLI can inject OS commands into a CLI parameter. These commands execute with the same privileges as the access point, giving the attacker control over the device.

Prerequisites

High-privilege administrator account or direct CLI access to the FortiAP device
Local or remote access to the management interface

High-privilege account required but typically accessible to IT/OT staffNo authentication required if attacker has CLI accessLow complexity exploitation once credentials obtainedNo patch available for FortiAP-W2 (end-of-life product)Could allow lateral movement to networked systems

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (8)

5 with fix3 pending

ProductAffected VersionsFix Status

FortiAP7.6.0 - 7.6.27.6.3+

FortiAP7.4.0 - 7.4.57.4.6+

FortiAP7.2 all versionsMigrate to fixed release

FortiAP7.0 all versionsMigrate to fixed release

FortiAP6.4 all versionsMigrate to fixed release

FortiAP-W27.4.0 - 7.4.4No fix yet

FortiAP-W27.2 all versionsNo fix yet

FortiAP-W27.0 all versionsNo fix yet

Remediation & Mitigation

0/6

Do now

0/1

FortiAP

WORKAROUNDFor FortiAP-W2 (no patch available): restrict management CLI access to trusted administrative networks using firewall rules or access control lists

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

FortiAP

HOTFIXUpdate FortiAP 7.6.x to version 7.6.3 or later

HOTFIXUpdate FortiAP 7.4.x to version 7.4.6 or later

HOTFIXMigrate FortiAP 7.2 and 7.0 to a fixed release (7.4.6+ or 7.6.3+)

HOTFIXMigrate FortiAP 6.4 to a fixed release (7.4.6+ or 7.6.3+)

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate management traffic to wireless access points on a dedicated administrative VLAN

CVEs (1)

CVE-2025-53870

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fc526736-0595-46c2-82db-2636eaa3423a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.