CVE-2025-53847
FortiOS 脆弱性の分析と軽減

概要

CVE-2025-53847 is a Missing Authentication for Critical Function vulnerability (CWE-306) in the CAPWAP daemon of Fortinet FortiOS and FortiSwitchManager. It allows a local unauthenticated attacker on the same IP subnet to write device configuration via specially crafted requests, but only under a specific non-default configuration. Affected versions include FortiOS 6.2.9–6.2.17, 6.4 (all versions), 7.0.0–7.0.17, 7.2.0–7.2.11, 7.4.0–7.4.8, and 7.6.0–7.6.3. The vulnerability was internally discovered and initially published on April 14, 2026. Fortinet rates it at CVSS v3.1 score 6.2 (Medium), while NVD assigns a score of 8.8 (High) (FortiGuard Advisory).

技術的な詳細

The root cause is CWE-306 (Missing Authentication for Critical Function) in the CAPWAP (Control and Provisioning of Wireless Access Points) daemon within FortiOS and FortiSwitchManager. An attacker on the same local IP subnet can send specially crafted CAPWAP requests to the daemon without authenticating, enabling unauthorized writes to device configuration. Exploitation requires the target FortiGate to run a non-default configuration — specifically, if auto-auth-extension-device is enabled in config system interface, any device can be authorized and the vulnerability exploited without administrator authorization; if inter-controller-peer is set, the inter-controller-key should be changed even on patched versions. The attack vector is adjacent network (AV:A), requires no privileges or user interaction, and has low attack complexity (FortiGuard Advisory).

影響

Successful exploitation allows an adjacent-network attacker to execute unauthorized code or commands and write arbitrary device configurations to the affected FortiOS system. This results in high impact to confidentiality, integrity, and availability of the device, potentially enabling full system compromise, policy manipulation, or disruption of network security controls managed by the FortiGate. Lateral movement within the network is a realistic consequence given the central role FortiOS devices play in network security infrastructure (FortiGuard Advisory, CIS Advisory).

エクスプロイテーションのステップ

  1. Reconnaissance: Identify FortiGate devices running vulnerable FortiOS versions (6.2.9–6.2.17, 6.4.x, 7.0.0–7.0.17, 7.2.0–7.2.11, 7.4.0–7.4.8, or 7.6.0–7.6.3) on the same local IP subnet using network scanning tools such as Nmap.
  2. Verify non-default configuration: Confirm that the target FortiGate has auto-auth-extension-device enabled in config system interface, or has inter-controller-peer configured in config wireless-controller inter-controller, as exploitation requires one of these non-default settings.
  3. Craft malicious CAPWAP request: Construct a specially crafted CAPWAP protocol request targeting the CAPWAP daemon on the FortiGate device, bypassing authentication checks due to the missing authentication for the critical function.
  4. Write device configuration: Send the crafted request from the adjacent network to overwrite or modify device configuration parameters, potentially disabling security controls, adding rogue access points, or altering routing/firewall policies.
  5. Achieve objective: Leverage the modified configuration for further access, lateral movement, or persistent control of the network environment (FortiGuard Advisory).

妥協の兆候

  • Network: Unexpected or anomalous CAPWAP protocol traffic (UDP port 5246/5247) originating from unauthorized or unknown devices on the local subnet targeting FortiGate management interfaces.
  • Logs: FortiOS system logs showing unauthorized configuration changes, especially to wireless controller or interface settings; log entries referencing CAPWAP daemon activity from unrecognized source IPs.
  • Configuration: Unexpected changes to config system interface (e.g., auto-auth-extension-device enabled), config wireless-controller inter-controller (new inter-controller-peer entries), or newly authorized FortiAP devices not recognized by administrators.
  • Process/Daemon: Unusual CAPWAP daemon activity or restarts logged in FortiOS diagnostics; unauthorized devices appearing in Wifi Controller > Managed FortiAPs (FortiGuard Advisory).

軽減策と回避策

Fortinet has released patched versions: FortiOS 7.6.4, 7.4.9, 7.2.12, and 7.0.18. FortiOS 6.4 (all versions) and 6.2.9–6.2.17 users should migrate to a supported fixed release using Fortinet's upgrade path tool. As immediate workarounds: disable security fabric access on interfaces, allow only legitimate devices in Wifi Controller > Managed FortiAPs, and remove inter-controller-peer elements from config wireless-controller inter-controller. If inter-controller-peer is configured, change the inter-controller-key even after upgrading to a fixed version. Ensure auto-auth-extension-device remains disabled (it is off by default) (FortiGuard Advisory).

コミュニティの反応

The vulnerability was covered as part of a broader Fortinet patch release addressing 11 vulnerabilities across FortiSandbox, FortiOS, FortiAnalyzer, and FortiManager, receiving coverage from cybersecurity news outlets including CyberSecurityNews and CyberPress (CyberSecurityNews). The Center for Internet Security (CIS) issued an advisory noting that multiple Fortinet vulnerabilities in this batch could allow for arbitrary code execution (CIS Advisory). No notable individual researcher commentary or significant social media discussion specific to CVE-2025-53847 has been observed beyond standard vulnerability reporting.

関連情報


ソースこのレポートは AI を使用して生成されました

関連 FortiOS 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2025-53844HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
いいえはいMay 12, 2026
CVE-2025-53847HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
いいえはいApr 14, 2026
CVE-2026-22153HIGH8.1
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
いいえはいFeb 10, 2026
CVE-2025-67862MEDIUM6.7
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
いいえはいJun 09, 2026
CVE-2025-61624MEDIUM6.5
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
いいえはいApr 14, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者