PSIRT Command injection in CLI Summary An improper neutralization of special elements used in an OS command ("OS Command Injection") vulnerability [CWE-78] in FortiAP, FortiAP-U & FortiAP-W2 CLI may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted CLI requests. Version Affected Solution FortiAP 7.6 7.6.0 through 7.6.2 Upgrade to 7.6.3 or above FortiAP 7.4 7.4.0 through 7.4.5 Upgrade to 7.4.6 or above FortiAP 7.2 7.2 all versions Migrate to a fixed release FortiAP 6.4 6.4 all versions Migrate to a fixed release FortiAP-U 7.0 7.0.0 through 7.0.5 Upgrade to 7.0.6 or above FortiAP-W2 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above FortiAP-W2 7.2 7.2 all versions Migrate to a fixed release Acknowledgement Internally discovered and reported by Shrikant Patil from FortiAP development team. Timeline 2026-05-12: Initial publication IR Number FG-IR-26-131 Published Date May 12, 2026 Component CLI Severity Medium Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 6.1 Impact Execute unauthorized code or commands CVE ID CVE-2025-53680 Download CVRF CSAF