CVE-2025-53844
FortiOS 脆弱性の分析と軽減

概要

CVE-2025-53844 is an out-of-bounds write vulnerability (CWE-787) in the CAPWAP daemon of Fortinet FortiOS that allows an attacker controlling an authenticated FortiAP, FortiExtender, or FortiSwitch device to gain execution privileges on the FortiGate device. It affects FortiOS 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, and 7.2.0 through 7.2.11. The vulnerability was disclosed on May 12, 2026, and was internally discovered by Gwendal Guégniaud of the Fortinet Product Security team. It carries a CVSS v3.1 base score of 8.8 (High) per NVD, and 8.3 (High) per Fortinet's own advisory (FortiGuard Advisory).

技術的な詳細

The root cause is an out-of-bounds write (CWE-787) in FortiOS's CAPWAP (Control and Provisioning of Wireless Access Points) daemon, which handles communication between FortiGate and managed wireless/extension devices such as FortiAP, FortiExtender, and FortiSwitch. An attacker who controls an authenticated managed device can send specially crafted CAPWAP packets that trigger the out-of-bounds write, potentially leading to arbitrary code or command execution on the FortiGate host. Exploitation requires the attacker to already control a device that is authenticated to the FortiGate's CAPWAP service, meaning the attack vector is network-based but requires low-privilege authenticated access. No public proof-of-concept exploit code has been identified (FortiGuard Advisory).

影響

Successful exploitation allows an attacker controlling an authenticated managed device (FortiAP, FortiExtender, or FortiSwitch) to execute unauthorized code or commands on the FortiGate device, resulting in full compromise of confidentiality, integrity, and availability of the affected system. This could enable an attacker to pivot from a compromised network edge device into the core FortiGate firewall, potentially exposing all traffic passing through it, modifying security policies, or establishing persistent access for lateral movement across the protected network (FortiGuard Advisory).

エクスプロイテーションのステップ

  1. Gain control of a managed device: Compromise or physically access a FortiAP, FortiExtender, or FortiSwitch that is authenticated and managed by the target FortiGate running a vulnerable FortiOS version (7.2.0–7.2.11, 7.4.0–7.4.8, or 7.6.0–7.6.3).
  2. Establish CAPWAP communication: Use the compromised managed device's network connectivity to communicate with the FortiGate's CAPWAP daemon (default UDP port 5246).
  3. Craft malicious CAPWAP packets: Construct specially crafted CAPWAP protocol packets designed to trigger an out-of-bounds write condition in the FortiGate's CAPWAP daemon memory handling routines.
  4. Trigger the vulnerability: Send the malicious packets from the controlled managed device to the FortiGate, causing the out-of-bounds write in the daemon process.
  5. Achieve code execution: Leverage the memory corruption to redirect execution flow and execute arbitrary code or commands with the privileges of the CAPWAP daemon on the FortiGate device (FortiGuard Advisory).

妥協の兆候

  • Network: Unusual or malformed CAPWAP protocol traffic (UDP port 5246) originating from managed devices (FortiAP, FortiExtender, FortiSwitch); unexpected CAPWAP sessions from unknown or unauthorized device MAC addresses.
  • Logs: FortiGate system logs showing CAPWAP daemon crashes or restarts; unexpected process errors or segmentation faults in the capwap daemon logs; anomalous authentication events from managed devices.
  • Process: Unexpected child processes spawned by the CAPWAP daemon; unusual outbound network connections initiated by FortiGate management processes following CAPWAP activity.
  • File System: Unexpected configuration changes to FortiGate firewall policies, admin accounts, or VPN settings that were not initiated by legitimate administrators (FortiGuard Advisory).

軽減策と回避策

Fortinet has released patched versions: FortiOS 7.6.4 or later (for 7.6.x users), FortiOS 7.4.9 or later (for 7.4.x users), and FortiOS 7.2.12 or later (for 7.2.x users). Organizations should use Fortinet's upgrade path tool at https://docs.fortinet.com/upgrade-tool to plan their upgrade. As a temporary workaround, administrators can disable the CAPWAP daemon by running config globalconfig system globalset wireless-controller disableend, and similarly disable FortiExtender (set fortiextender disable). Additionally, restricting network access to FortiOS management interfaces and implementing network segmentation can reduce exposure (FortiGuard Advisory).

コミュニティの反応

Security media outlets including SecurityWeek and CSOOnline covered this vulnerability as part of Fortinet's May 2026 patch cycle, noting it alongside other critical fixes for FortiAuthenticator and FortiSandbox. The Belgian Centre for Cybersecurity (CCB) issued an advisory warning about multiple Fortinet vulnerabilities including CVE-2025-53844. Community coverage was moderate, with aggregators such as CyberSecurityNews and Cryptika reporting on the broader Fortinet patch release. No notable independent researcher commentary or significant social media discussion has been identified beyond standard patch reporting (SecurityWeek, CCB Advisory).

関連情報


ソースこのレポートは AI を使用して生成されました

関連 FortiOS 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2025-53844HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
いいえはいMay 12, 2026
CVE-2025-53847HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
いいえはいApr 14, 2026
CVE-2026-22153HIGH8.1
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
いいえはいFeb 10, 2026
CVE-2025-67862MEDIUM6.7
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
いいえはいJun 09, 2026
CVE-2025-61624MEDIUM6.5
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
いいえはいApr 14, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者