ZeroPath at Black Hat USA 2026

Brief Summary: FortiOS CAPWAP Daemon Out of Bounds Write (CVE-2025-53844) Enables Remote Code Execution

A short review of CVE-2025-53844, a high severity out of bounds write in the FortiOS CAPWAP daemon that allows authenticated attackers controlling a managed device to execute arbitrary code on FortiGate appliances.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: FortiOS CAPWAP Daemon Out of Bounds Write (CVE-2025-53844) Enables Remote Code Execution
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An out of bounds write in the FortiOS CAPWAP daemon gives attackers who control a managed edge device the ability to execute arbitrary code on the central FortiGate appliance. Given that FortiGate devices typically serve as the primary security gateway for enterprise networks, this vulnerability (CVE-2025-53844, CVSS 8.8) represents a serious escalation path from a compromised access point or switch to full control of the network's security enforcement point.

Technical Information

The vulnerability is classified as CWE-787 (Out of bounds Write) and resides specifically in the CAPWAP daemon within FortiOS. CAPWAP (Control And Provisioning of Wireless Access Points) is the protocol FortiGate uses to manage connected wireless access points and other edge devices such as FortiAP, FortiExtender, and FortiSwitch units.

The attack flow requires several preconditions. First, the attacker must gain control over an authenticated device that is managed by the target FortiGate. This could be a FortiAP wireless access point, a FortiExtender WAN extender, or a FortiSwitch network switch. These devices maintain authenticated CAPWAP sessions with the FortiGate controller.

Once the attacker controls such a device, they can craft malicious CAPWAP packets and send them to the FortiGate's CAPWAP daemon. The daemon fails to properly validate bounds when writing data from these packets, resulting in an out of bounds write condition. Successful exploitation allows the attacker to execute unauthorized code or commands on the FortiGate device itself.

The authenticated nature of this attack vector is worth examining carefully. While the requirement for device level authentication means this cannot be exploited through unauthenticated internet scanning, it significantly elevates the risk from two scenarios: insider threats where an attacker already has access to managed infrastructure, and supply chain or lateral movement attacks where an edge device (such as a FortiAP deployed in a less physically secure location) is compromised first and then used as a pivot point to attack the central FortiGate appliance.

Because FortiGate devices typically sit at the network perimeter and enforce security policy for the entire environment, gaining code execution on one represents a significant escalation of access. Perimeter defenses alone are insufficient if the threat originates from a compromised managed device within the trust boundary.

Fortinet has assigned this vulnerability a CVSSv3 score of 8.3 (High), while the NVD lists a CVSS score of 8.8. The discrepancy likely reflects differences in scoring the authentication and access complexity requirements.

Affected Systems and Versions

The following FortiOS versions are confirmed vulnerable:

FortiOS BranchAffected VersionsFixed Version
FortiOS 7.67.6.0 through 7.6.37.6.4 or above
FortiOS 7.47.4.0 through 7.4.87.4.9 or above
FortiOS 7.27.2.0 through 7.2.117.2.12 or above

The vulnerability specifically requires that the CAPWAP daemon (wireless controller) is enabled and that managed devices such as FortiAP, FortiExtender, or FortiSwitch units are connected to the FortiGate. Environments that do not use these managed device types or that have the wireless controller disabled are not exposed to this attack vector.

For organizations that cannot patch immediately, Fortinet has provided a temporary workaround that disables the CAPWAP daemon:

config global
config system global
set wireless-controller disable
end

This will disrupt all wireless controller functionality and should only be used as a stopgap measure.

Vendor Security History

This is not the first critical memory corruption vulnerability in the FortiOS CAPWAP daemon. In November 2025, Fortinet disclosed a stack based overflow in the same component (FG-IR-25-358) that also allowed a remote authenticated attacker to execute arbitrary code. The recurrence of memory safety issues within this specific daemon indicates that the CAPWAP implementation is a complex attack surface that has not yet been fully hardened. Security teams managing Fortinet infrastructure should treat CAPWAP related advisories with particular urgency given this pattern.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization