CVE-2025-53847
FortiOS Schwachstellenanalyse und -minderung

Überblick

CVE-2025-53847 is a Missing Authentication for Critical Function vulnerability (CWE-306) in the CAPWAP daemon of Fortinet FortiOS and FortiSwitchManager. It allows a local unauthenticated attacker on the same IP subnet to write device configuration via specially crafted requests, but only under a specific non-default configuration. Affected versions include FortiOS 6.2.9–6.2.17, 6.4 (all versions), 7.0.0–7.0.17, 7.2.0–7.2.11, 7.4.0–7.4.8, and 7.6.0–7.6.3. The vulnerability was internally discovered and initially published on April 14, 2026. Fortinet rates it at CVSS v3.1 score 6.2 (Medium), while NVD assigns a score of 8.8 (High) (FortiGuard Advisory).

Technische Details

The root cause is CWE-306 (Missing Authentication for Critical Function) in the CAPWAP (Control and Provisioning of Wireless Access Points) daemon within FortiOS and FortiSwitchManager. An attacker on the same local IP subnet can send specially crafted CAPWAP requests to the daemon without authenticating, enabling unauthorized writes to device configuration. Exploitation requires the target FortiGate to run a non-default configuration — specifically, if auto-auth-extension-device is enabled in config system interface, any device can be authorized and the vulnerability exploited without administrator authorization; if inter-controller-peer is set, the inter-controller-key should be changed even on patched versions. The attack vector is adjacent network (AV:A), requires no privileges or user interaction, and has low attack complexity (FortiGuard Advisory).

Aufprall

Successful exploitation allows an adjacent-network attacker to execute unauthorized code or commands and write arbitrary device configurations to the affected FortiOS system. This results in high impact to confidentiality, integrity, and availability of the device, potentially enabling full system compromise, policy manipulation, or disruption of network security controls managed by the FortiGate. Lateral movement within the network is a realistic consequence given the central role FortiOS devices play in network security infrastructure (FortiGuard Advisory, CIS Advisory).

Ausnutzungsschritte

  1. Reconnaissance: Identify FortiGate devices running vulnerable FortiOS versions (6.2.9–6.2.17, 6.4.x, 7.0.0–7.0.17, 7.2.0–7.2.11, 7.4.0–7.4.8, or 7.6.0–7.6.3) on the same local IP subnet using network scanning tools such as Nmap.
  2. Verify non-default configuration: Confirm that the target FortiGate has auto-auth-extension-device enabled in config system interface, or has inter-controller-peer configured in config wireless-controller inter-controller, as exploitation requires one of these non-default settings.
  3. Craft malicious CAPWAP request: Construct a specially crafted CAPWAP protocol request targeting the CAPWAP daemon on the FortiGate device, bypassing authentication checks due to the missing authentication for the critical function.
  4. Write device configuration: Send the crafted request from the adjacent network to overwrite or modify device configuration parameters, potentially disabling security controls, adding rogue access points, or altering routing/firewall policies.
  5. Achieve objective: Leverage the modified configuration for further access, lateral movement, or persistent control of the network environment (FortiGuard Advisory).

Indikatoren für Kompromittierung

  • Network: Unexpected or anomalous CAPWAP protocol traffic (UDP port 5246/5247) originating from unauthorized or unknown devices on the local subnet targeting FortiGate management interfaces.
  • Logs: FortiOS system logs showing unauthorized configuration changes, especially to wireless controller or interface settings; log entries referencing CAPWAP daemon activity from unrecognized source IPs.
  • Configuration: Unexpected changes to config system interface (e.g., auto-auth-extension-device enabled), config wireless-controller inter-controller (new inter-controller-peer entries), or newly authorized FortiAP devices not recognized by administrators.
  • Process/Daemon: Unusual CAPWAP daemon activity or restarts logged in FortiOS diagnostics; unauthorized devices appearing in Wifi Controller > Managed FortiAPs (FortiGuard Advisory).

Risikominderung und Problemumgehungen

Fortinet has released patched versions: FortiOS 7.6.4, 7.4.9, 7.2.12, and 7.0.18. FortiOS 6.4 (all versions) and 6.2.9–6.2.17 users should migrate to a supported fixed release using Fortinet's upgrade path tool. As immediate workarounds: disable security fabric access on interfaces, allow only legitimate devices in Wifi Controller > Managed FortiAPs, and remove inter-controller-peer elements from config wireless-controller inter-controller. If inter-controller-peer is configured, change the inter-controller-key even after upgrading to a fixed version. Ensure auto-auth-extension-device remains disabled (it is off by default) (FortiGuard Advisory).

Reaktionen der Community

The vulnerability was covered as part of a broader Fortinet patch release addressing 11 vulnerabilities across FortiSandbox, FortiOS, FortiAnalyzer, and FortiManager, receiving coverage from cybersecurity news outlets including CyberSecurityNews and CyberPress (CyberSecurityNews). The Center for Internet Security (CIS) issued an advisory noting that multiple Fortinet vulnerabilities in this batch could allow for arbitrary code execution (CIS Advisory). No notable individual researcher commentary or significant social media discussion specific to CVE-2025-53847 has been observed beyond standard vulnerability reporting.

Zusätzliche Ressourcen


QuelleDieser Bericht wurde mithilfe von KI erstellt

Verwandt FortiOS Schwachstellen:

CVE-Kennung

Strenge

Punktzahl

Technologieen

Name der Komponente

CISA KEV-Exploit

Hat fix

Veröffentlichungsdatum

CVE-2025-53844HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NeinJaMay 12, 2026
CVE-2025-53847HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NeinJaApr 14, 2026
CVE-2026-22153HIGH8.1
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NeinJaFeb 10, 2026
CVE-2025-67862MEDIUM6.7
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NeinJaJun 09, 2026
CVE-2025-61624MEDIUM6.5
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NeinJaApr 14, 2026

Kostenlose Schwachstellenbewertung

Benchmarking Ihrer Cloud-Sicherheitslage

Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.

Bewertung anfordern

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement