CVE-2025-53847
FortiOS 취약성 분석 및 완화

개요

CVE-2025-53847 is a Missing Authentication for Critical Function vulnerability (CWE-306) in the CAPWAP daemon of Fortinet FortiOS and FortiSwitchManager. It allows a local unauthenticated attacker on the same IP subnet to write device configuration via specially crafted requests, but only under a specific non-default configuration. Affected versions include FortiOS 6.2.9–6.2.17, 6.4 (all versions), 7.0.0–7.0.17, 7.2.0–7.2.11, 7.4.0–7.4.8, and 7.6.0–7.6.3. The vulnerability was internally discovered and initially published on April 14, 2026. Fortinet rates it at CVSS v3.1 score 6.2 (Medium), while NVD assigns a score of 8.8 (High) (FortiGuard Advisory).

기술적 세부 사항

The root cause is CWE-306 (Missing Authentication for Critical Function) in the CAPWAP (Control and Provisioning of Wireless Access Points) daemon within FortiOS and FortiSwitchManager. An attacker on the same local IP subnet can send specially crafted CAPWAP requests to the daemon without authenticating, enabling unauthorized writes to device configuration. Exploitation requires the target FortiGate to run a non-default configuration — specifically, if auto-auth-extension-device is enabled in config system interface, any device can be authorized and the vulnerability exploited without administrator authorization; if inter-controller-peer is set, the inter-controller-key should be changed even on patched versions. The attack vector is adjacent network (AV:A), requires no privileges or user interaction, and has low attack complexity (FortiGuard Advisory).

영향

Successful exploitation allows an adjacent-network attacker to execute unauthorized code or commands and write arbitrary device configurations to the affected FortiOS system. This results in high impact to confidentiality, integrity, and availability of the device, potentially enabling full system compromise, policy manipulation, or disruption of network security controls managed by the FortiGate. Lateral movement within the network is a realistic consequence given the central role FortiOS devices play in network security infrastructure (FortiGuard Advisory, CIS Advisory).

착취 단계

  1. Reconnaissance: Identify FortiGate devices running vulnerable FortiOS versions (6.2.9–6.2.17, 6.4.x, 7.0.0–7.0.17, 7.2.0–7.2.11, 7.4.0–7.4.8, or 7.6.0–7.6.3) on the same local IP subnet using network scanning tools such as Nmap.
  2. Verify non-default configuration: Confirm that the target FortiGate has auto-auth-extension-device enabled in config system interface, or has inter-controller-peer configured in config wireless-controller inter-controller, as exploitation requires one of these non-default settings.
  3. Craft malicious CAPWAP request: Construct a specially crafted CAPWAP protocol request targeting the CAPWAP daemon on the FortiGate device, bypassing authentication checks due to the missing authentication for the critical function.
  4. Write device configuration: Send the crafted request from the adjacent network to overwrite or modify device configuration parameters, potentially disabling security controls, adding rogue access points, or altering routing/firewall policies.
  5. Achieve objective: Leverage the modified configuration for further access, lateral movement, or persistent control of the network environment (FortiGuard Advisory).

타협의 징후

  • Network: Unexpected or anomalous CAPWAP protocol traffic (UDP port 5246/5247) originating from unauthorized or unknown devices on the local subnet targeting FortiGate management interfaces.
  • Logs: FortiOS system logs showing unauthorized configuration changes, especially to wireless controller or interface settings; log entries referencing CAPWAP daemon activity from unrecognized source IPs.
  • Configuration: Unexpected changes to config system interface (e.g., auto-auth-extension-device enabled), config wireless-controller inter-controller (new inter-controller-peer entries), or newly authorized FortiAP devices not recognized by administrators.
  • Process/Daemon: Unusual CAPWAP daemon activity or restarts logged in FortiOS diagnostics; unauthorized devices appearing in Wifi Controller > Managed FortiAPs (FortiGuard Advisory).

완화 및 해결 방법

Fortinet has released patched versions: FortiOS 7.6.4, 7.4.9, 7.2.12, and 7.0.18. FortiOS 6.4 (all versions) and 6.2.9–6.2.17 users should migrate to a supported fixed release using Fortinet's upgrade path tool. As immediate workarounds: disable security fabric access on interfaces, allow only legitimate devices in Wifi Controller > Managed FortiAPs, and remove inter-controller-peer elements from config wireless-controller inter-controller. If inter-controller-peer is configured, change the inter-controller-key even after upgrading to a fixed version. Ensure auto-auth-extension-device remains disabled (it is off by default) (FortiGuard Advisory).

커뮤니티 반응

The vulnerability was covered as part of a broader Fortinet patch release addressing 11 vulnerabilities across FortiSandbox, FortiOS, FortiAnalyzer, and FortiManager, receiving coverage from cybersecurity news outlets including CyberSecurityNews and CyberPress (CyberSecurityNews). The Center for Internet Security (CIS) issued an advisory noting that multiple Fortinet vulnerabilities in this batch could allow for arbitrary code execution (CIS Advisory). No notable individual researcher commentary or significant social media discussion specific to CVE-2025-53847 has been observed beyond standard vulnerability reporting.

추가 자료


근원이 보고서는 AI를 사용하여 생성되었습니다.

관련 FortiOS 취약점:

CVE ID

심각도

점수

기술

구성 요소 이름

CISA KEV 익스플로잇

수정 사항이 있습니다.

게시된 날짜

CVE-2025-53844HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
아니요May 12, 2026
CVE-2025-53847HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
아니요Apr 14, 2026
CVE-2026-22153HIGH8.1
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
아니요Feb 10, 2026
CVE-2025-67862MEDIUM6.7
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
아니요Jun 09, 2026
CVE-2025-61624MEDIUM6.5
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
아니요Apr 14, 2026

무료 취약성 평가

클라우드 보안 태세를 벤치마킹합니다

9개의 보안 도메인에서 클라우드 보안 관행을 평가하여 위험 수준을 벤치마킹하고 방어의 허점을 식별합니다.

평가 요청

추가 Wiz 리소스

맞춤형 데모 받기

맞춤형 데모 신청하기

"내가 본 최고의 사용자 경험은 클라우드 워크로드에 대한 완전한 가시성을 제공합니다."
데이비드 에슬릭최고정보책임자(CISO)
"Wiz는 클라우드 환경에서 무슨 일이 일어나고 있는지 볼 수 있는 단일 창을 제공합니다."
아담 플레처최고 보안 책임자(CSO)
"우리는 Wiz가 무언가를 중요한 것으로 식별하면 실제로 중요하다는 것을 알고 있습니다."
그렉 포니아토프스키위협 및 취약성 관리 책임자