Fortinet Patches Five Vulnerabilities in Forti Across FortiAP

Fortinet has released security advisories to address five vulnerabilities impacting its wireless access point controllers, network operating system, and enterprise management platforms. Issued on May 12, 2026, these advisories include a critical patch for an unauthenticated authorization bypass in FortiSandbox.

Critical Flaw in FortiSandbox

The most severe vulnerability disclosed is CVE-2026-26083 (FG-IR-26-136), a missing authorization flaw (CWE-862) affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS.

Rated Critical, this GUI-accessible vulnerability requires no authentication, meaning a remote attacker could potentially access restricted functionality or sensitive sandbox analysis data without any credentials.

Affected versions include FortiSandbox 5.0 and 4.4, FortiSandbox Cloud 24, 23, and 5.0, and FortiSandbox PaaS versions spanning 22.1 through 23.4. The unauthenticated attack surface makes this the highest-priority patch in the batch.

Dual CLI Command Injection in FortiAP

Two separate OS command injection vulnerabilities were disclosed affecting Fortinet’s wireless access point firmware.

CVE-2025-53680 (FG-IR-26-131) involves improper neutralization of special elements in OS commands (CWE-78) within the FortiAP CLI, affecting FortiAP 6.4 through 7.6, FortiAP-U 6.2 and 7.0, and FortiAP-W2 7.0 through 7.4.

A second CLI injection flaw, CVE-2025-53870 (FG-IR-26-133), independently affects FortiAP 6.4 through 7.6 and FortiAP-W2 7.0 through 7.4.

Both are rated Medium severity and require authenticated internal access, but successful exploitation could allow an attacker with CLI access to execute arbitrary OS-level commands on the access point hardware.

DoS Risk in FortiAnalyzer and FortiManager API

CVE-2025-67604 (FG-IR-26-137) exposes a use of a potentially dangerous function vulnerability (CWE-676) in the API layer of both FortiAnalyzer and FortiManager. Rated Medium, the flaw affects FortiAnalyzer and FortiManager versions 7.0 through 8.0 across both product lines.

An authenticated internal attacker could trigger a denial-of-service condition through the API, potentially disrupting centralized log analysis and network management operations — critical components in enterprise SOC environments.

Out-of-Bounds Write in FortiOS CAPWAP Daemon

CVE-2025-53844 (FG-IR-26-123) is an out-of-bounds write vulnerability (CWE-787) residing in the CAPWAP (Control and Provisioning of Wireless Access Points) daemon within FortiOS.

Affecting FortiOS 7.2, 7.4, and 7.6, this flaw could allow an attacker with control over an access point endpoint to send malformed CAPWAP traffic and potentially crash or compromise the FortiOS process.

The vector is listed as “Others/Internal/Authenticated,” suggesting the attack requires a foothold within a trusted network segment or rogue AP scenario.

Vulnerability Summary

Organizations running affected Fortinet products should prioritize patching CVE-2026-26083 immediately, given its Critical rating and unauthenticated attack surface.

For the remaining medium-severity flaws, security teams should apply available patches during their next maintenance window, restrict CLI and API access to trusted administrators only, and monitor internal network traffic for anomalous CAPWAP or API activity.

Fortinet’s PSIRT advisory page remains the authoritative source for patch version details and workarounds.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.