CVE-2025-53847
FortiOS Analisi e mitigazione delle vulnerabilità

Panoramica

CVE-2025-53847 is a Missing Authentication for Critical Function vulnerability (CWE-306) in the CAPWAP daemon of Fortinet FortiOS and FortiSwitchManager. It allows a local unauthenticated attacker on the same IP subnet to write device configuration via specially crafted requests, but only under a specific non-default configuration. Affected versions include FortiOS 6.2.9–6.2.17, 6.4 (all versions), 7.0.0–7.0.17, 7.2.0–7.2.11, 7.4.0–7.4.8, and 7.6.0–7.6.3. The vulnerability was internally discovered and initially published on April 14, 2026. Fortinet rates it at CVSS v3.1 score 6.2 (Medium), while NVD assigns a score of 8.8 (High) (FortiGuard Advisory).

Dettagli tecnici

The root cause is CWE-306 (Missing Authentication for Critical Function) in the CAPWAP (Control and Provisioning of Wireless Access Points) daemon within FortiOS and FortiSwitchManager. An attacker on the same local IP subnet can send specially crafted CAPWAP requests to the daemon without authenticating, enabling unauthorized writes to device configuration. Exploitation requires the target FortiGate to run a non-default configuration — specifically, if auto-auth-extension-device is enabled in config system interface, any device can be authorized and the vulnerability exploited without administrator authorization; if inter-controller-peer is set, the inter-controller-key should be changed even on patched versions. The attack vector is adjacent network (AV:A), requires no privileges or user interaction, and has low attack complexity (FortiGuard Advisory).

Impatto

Successful exploitation allows an adjacent-network attacker to execute unauthorized code or commands and write arbitrary device configurations to the affected FortiOS system. This results in high impact to confidentiality, integrity, and availability of the device, potentially enabling full system compromise, policy manipulation, or disruption of network security controls managed by the FortiGate. Lateral movement within the network is a realistic consequence given the central role FortiOS devices play in network security infrastructure (FortiGuard Advisory, CIS Advisory).

Passaggi di sfruttamento

  1. Reconnaissance: Identify FortiGate devices running vulnerable FortiOS versions (6.2.9–6.2.17, 6.4.x, 7.0.0–7.0.17, 7.2.0–7.2.11, 7.4.0–7.4.8, or 7.6.0–7.6.3) on the same local IP subnet using network scanning tools such as Nmap.
  2. Verify non-default configuration: Confirm that the target FortiGate has auto-auth-extension-device enabled in config system interface, or has inter-controller-peer configured in config wireless-controller inter-controller, as exploitation requires one of these non-default settings.
  3. Craft malicious CAPWAP request: Construct a specially crafted CAPWAP protocol request targeting the CAPWAP daemon on the FortiGate device, bypassing authentication checks due to the missing authentication for the critical function.
  4. Write device configuration: Send the crafted request from the adjacent network to overwrite or modify device configuration parameters, potentially disabling security controls, adding rogue access points, or altering routing/firewall policies.
  5. Achieve objective: Leverage the modified configuration for further access, lateral movement, or persistent control of the network environment (FortiGuard Advisory).

Indicatori di compromesso

  • Network: Unexpected or anomalous CAPWAP protocol traffic (UDP port 5246/5247) originating from unauthorized or unknown devices on the local subnet targeting FortiGate management interfaces.
  • Logs: FortiOS system logs showing unauthorized configuration changes, especially to wireless controller or interface settings; log entries referencing CAPWAP daemon activity from unrecognized source IPs.
  • Configuration: Unexpected changes to config system interface (e.g., auto-auth-extension-device enabled), config wireless-controller inter-controller (new inter-controller-peer entries), or newly authorized FortiAP devices not recognized by administrators.
  • Process/Daemon: Unusual CAPWAP daemon activity or restarts logged in FortiOS diagnostics; unauthorized devices appearing in Wifi Controller > Managed FortiAPs (FortiGuard Advisory).

Mitigazione e soluzioni alternative

Fortinet has released patched versions: FortiOS 7.6.4, 7.4.9, 7.2.12, and 7.0.18. FortiOS 6.4 (all versions) and 6.2.9–6.2.17 users should migrate to a supported fixed release using Fortinet's upgrade path tool. As immediate workarounds: disable security fabric access on interfaces, allow only legitimate devices in Wifi Controller > Managed FortiAPs, and remove inter-controller-peer elements from config wireless-controller inter-controller. If inter-controller-peer is configured, change the inter-controller-key even after upgrading to a fixed version. Ensure auto-auth-extension-device remains disabled (it is off by default) (FortiGuard Advisory).

Reazioni della comunità

The vulnerability was covered as part of a broader Fortinet patch release addressing 11 vulnerabilities across FortiSandbox, FortiOS, FortiAnalyzer, and FortiManager, receiving coverage from cybersecurity news outlets including CyberSecurityNews and CyberPress (CyberSecurityNews). The Center for Internet Security (CIS) issued an advisory noting that multiple Fortinet vulnerabilities in this batch could allow for arbitrary code execution (CIS Advisory). No notable individual researcher commentary or significant social media discussion specific to CVE-2025-53847 has been observed beyond standard vulnerability reporting.

Risorse aggiuntive


FonteQuesto report è stato generato utilizzando l'intelligenza artificiale

Imparentato FortiOS Vulnerabilità:

CVE ID

Severità

Punteggio

Tecnologie

Nome del componente

Exploit CISA KEV

Ha la correzione

Data di pubblicazione

CVE-2025-53844HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NoMay 12, 2026
CVE-2025-53847HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NoApr 14, 2026
CVE-2026-22153HIGH8.1
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NoFeb 10, 2026
CVE-2025-67862MEDIUM6.7
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NoJun 09, 2026
CVE-2025-61624MEDIUM6.5
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NoApr 14, 2026

Valutazione gratuita delle vulnerabilità

Benchmark della tua posizione di sicurezza del cloud

Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.

Richiedi valutazione

Richiedi una demo personalizzata

Pronti a vedere Wiz in azione?

"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
David EstlickCISO (CISO)
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
Adam FletcherResponsabile della sicurezza
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."
Greg PoniatowskiResponsabile della gestione delle minacce e delle vulnerabilità