Fortinet Patches Critical RCE in FortiAP, High Vulns in FortiOS
Key Takeaways Fortinet has released patches for five vulnerabilities impacting its enterprise security products. The most critical flaw, CVE-2026-26083, affects FortiSandbox and allows...
Key Takeaways
- Fortinet has released patches for five vulnerabilities impacting its enterprise security products.
- The most critical flaw, CVE-2026-26083, affects FortiSandbox and allows unauthenticated remote access to sensitive data.
- Other vulnerabilities include command injections in FortiAP, a DoS risk in FortiAnalyzer and FortiManager, and an out-of-bounds write in FortiOS.
- Organizations should immediately apply patches, especially for the critical FortiSandbox vulnerability.
Fortinet has issued a series of security advisories on May 12, 2026, addressing five distinct vulnerabilities across several of its key product lines. These include wireless access point controllers, network operating systems, and enterprise management platforms. Among the released patches is a critical fix for an unauthenticated authorization bypass discovered in FortiSandbox.
Table Of Content
Critical Flaw in FortiSandbox
The most significant vulnerability identified is CVE-2026-26083 (FG-IR-26-136), a critical missing authorization flaw (CWE-862). This vulnerability affects FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. With a Critical severity rating, this flaw is accessible via the graphical user interface (GUI) and, crucially, requires no authentication. This means a remote attacker could potentially gain unauthorized access to restricted functionalities or sensitive sandbox analysis data without needing any credentials.
The affected versions span FortiSandbox 5.0 and 4.4, FortiSandbox Cloud 24, 23, and 5.0, and FortiSandbox PaaS versions from 22.1 through 23.4. Due to its unauthenticated nature, this vulnerability represents the highest priority for immediate patching.
Dual CLI Command Injection in FortiAP
Fortinet also disclosed two separate operating system command injection vulnerabilities impacting the firmware of its wireless access points.
CVE-2025-53680 (FG-IR-26-131) involves the improper neutralization of special elements in OS commands (CWE-78) within the FortiAP command-line interface (CLI). This affects FortiAP 6.4 through 7.6, FortiAP-U 6.2 and 7.0, and FortiAP-W2 7.0 through 7.4.
A second, independent CLI injection flaw, CVE-2025-53870 (FG-IR-26-133), affects FortiAP 6.4 through 7.6 and FortiAP-W2 7.0 through 7.4. Both vulnerabilities are rated Medium severity and necessitate authenticated internal access. However, successful exploitation could enable an attacker with CLI access to execute arbitrary OS-level commands on the affected access point hardware.
DoS Risk in FortiAnalyzer and FortiManager API
CVE-2025-67604 (FG-IR-26-137) highlights a use of a potentially dangerous function (CWE-676) within the API layer of both FortiAnalyzer and FortiManager. Rated Medium, this vulnerability impacts FortiAnalyzer and FortiManager versions 7.0 through 8.0 across both product lines. An authenticated internal attacker could exploit this flaw via the API to trigger a denial-of-service condition, potentially disrupting crucial centralized log analysis and network management operations within enterprise Security Operations Centers (SOCs).
Out-of-Bounds Write in FortiOS CAPWAP Daemon
CVE-2025-53844 (FG-IR-26-123) is an out-of-bounds write vulnerability (CWE-787) found in the CAPWAP (Control and Provisioning of Wireless Access Points) daemon of FortiOS. This flaw affects FortiOS versions 7.2, 7.4, and 7.6. An attacker who controls an access point endpoint could send malformed CAPWAP traffic to potentially crash or compromise the FortiOS process. The attack vector is described as “Others/Internal/Authenticated,” suggesting that the exploit requires an existing foothold within a trusted network segment or a rogue AP scenario.
Vulnerability Summary
| CVE | Product | Severity | Vector | Auth Required |
|---|---|---|---|---|
| CVE-2026-26083 | FortiSandbox / Cloud / PaaS | Critical | GUI | No |
| CVE-2025-53680 | FortiAP, FortiAP-U, FortiAP-W2 | Medium | CLI | Yes |
| CVE-2025-53870 | FortiAP, FortiAP-W2 | Medium | CLI | Yes |
| CVE-2025-67604 | FortiAnalyzer, FortiManager | Medium | API | Yes |
| CVE-2025-53844 | FortiOS | Medium | CAPWAP | Yes |
What You Should Do
- Prioritize CVE-2026-26083: Organizations utilizing FortiSandbox, FortiSandbox Cloud, or FortiSandbox PaaS must apply the patch for CVE-2026-26083 immediately due to its Critical severity and unauthenticated attack vector.
- Schedule Patches for Medium Severity Flaws: For the remaining medium-severity vulnerabilities affecting FortiAP, FortiAnalyzer, FortiManager, and FortiOS, security teams should plan to apply available patches during their next scheduled maintenance window.
- Restrict Access: Ensure that CLI and API access to Fortinet devices is strictly limited to authorized and trusted administrators.
- Monitor Network Traffic: Implement vigilant monitoring of internal network traffic for any anomalous CAPWAP or API activity that could indicate attempted exploitation.
- Consult Fortinet Advisories: Refer to Fortinet’s official PSIRT advisory page for detailed patch version information and any potential workarounds.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.