Fortinet advisory lists five vulnerabilities affecting FortiAP, FortiOS and FortiAnalyzer

Fortinet published a cluster of PSIRT advisories on May 12 covering five vulnerabilities across FortiAP, FortiOS, FortiAnalyzer and FortiManager, with the issues ranging from command injection to denial of service. The vendor’s advisories say the flaws affect multiple firmware branches and require customers to upgrade or migrate to fixed releases. Four of the issues are tied to authenticated attack paths, while one FortiOS flaw involves an attacker controlling an authenticated FortiAP, FortiExtender or FortiSwitch. Fortinet’s PSIRT pages say none of the listed issues were known to be exploited at publication for the advisories that include that field. ### Which products are in scope in this batch? FortiAP, FortiAP-U, FortiAP-W2, FortiOS, FortiAnalyzer, FortiAnalyzer Cloud, FortiManager and FortiManager Cloud are named in the advisories. Two of the flaws hit FortiAP product lines, one hits FortiOS, one hits FortiAnalyzer and FortiManager API, and one older April advisory in the same patch wave covers SQL injection in FortiAnalyzer and FortiManager JSON RPC API. (fortiguard.fortinet.com) May 12 is the publication date listed for FG-IR-26-131, FG-IR-26-133, FG-IR-26-137 and FG-IR-26-136, while the SQL-injection advisory FG-IR-26-111 was first published on April 14. The social posts that grouped the five issues together appear to be combining those Fortinet PSIRT entries into one remediation list rather than describing a single new advisory for all five. That is an inference from Fortinet’s advisory dates and IDs. (fortiguard.fortinet.com) ### What are the two FortiAP bugs? CVE-2025-53680 is a command-injection flaw in the FortiAP, FortiAP-U and FortiAP-W2 command-line interface. Fortinet says an authenticated privileged attacker could execute unauthorized code or commands through crafted CLI requests. The advisory lists a CVSS v3 score of 6.1 and marks the issue as medium severity. CVE-2025-53870 is a second OS command-injection flaw in FortiAP and FortiAP-W2 CLI. (fortiguard.fortinet.com) Fortinet says an authenticated attacker could execute unauthorized code or commands through a specifically crafted CLI command. Affected versions include FortiAP 7.6.0 through 7.6.2 and 7.4.0 through 7.4.5, with fixes in 7.6.3 and 7.4.6; FortiAP-W2 7.2.0 through 7.2.5 is listed for an upcoming 7.2.6 or later. ### Why is the FortiOS item the one defenders will look at first? (fortiguard.fortinet.com) CVE-2025-53844 affects the FortiOS CAPWAP daemon and is described by Fortinet as an out-of-bounds write. The vendor says an attacker controlling an authenticated FortiAP, FortiExtender or FortiSwitch may be able to gain execution privileges on the FortiGate device. Fixed versions are FortiOS 7.6.4, 7.4.9 and 7.2.12 or later. Fortinet also published a workaround for that issue: disable the CAPWAP daemon by turning off the wireless controller. (fortiguard.fortinet.com) The advisory includes post-change validation commands and points customers to the company’s upgrade path tool. ### What do the FortiAnalyzer and FortiManager flaws do? CVE-2025-67604 affects the FortiAnalyzer and FortiManager API and is described as a dangerous-function issue that may let an authenticated attacker cause a system hang through multiple specially crafted HTTP requests. (fortiguard.fortinet.com) Fortinet says the crashes depend on internal lock alignment that is out of the attacker’s control. Fixed versions are 7.6.5 and 7.4.9 or later, while 7.2 customers are told to migrate to a fixed release. FG-IR-26-111, published on April 14, describes SQL injection in the JSON RPC API of FortiAnalyzer, FortiAnalyzer Cloud, FortiManager and FortiManager Cloud. Fortinet says an authenticated privileged attacker could execute unauthorized code or commands via crafted requests. The fixed targets are again 7.6.5 and 7.4.9 or later, with older branches directed to migrate. ### What should administrators check next? (fortiguard.com) Fortinet’s PSIRT pages tell customers to upgrade affected versions to the listed fixed releases or migrate off unsupported branches. The FortiOS advisory also gives a temporary configuration change for customers that cannot patch immediately, and the FortiAnalyzer and FortiManager advisories point to 7.6.5 and 7.4.9 as the patched releases. Administrators tracking this patch cycle should review the vendor’s PSIRT entries for FG-IR-26-131, FG-IR-26-133, FG-IR-26-137, FG-IR-26-123 and FG-IR-26-111, then match those to exposed management and CAPWAP-related deployments. (fortiguard.fortinet.com 1) (fortiguard.fortinet.com 2)