PSIRT OS command injection in CLI Summary An OS command injection vulnerabtility [CWE-78] in FortiAP and FortiAP-W2 cli may allow an authenticated attacker to execute unauthorized code or commands via a specifically crafted cli command. Version Affected Solution FortiAP 7.6 7.6.0 through 7.6.2 Upgrade to 7.6.3 or above FortiAP 7.4 7.4.0 through 7.4.5 Upgrade to 7.4.6 or above FortiAP 7.2 7.2 all versions Migrate to a fixed release FortiAP 6.4 6.4 all versions Migrate to a fixed release FortiAP-W2 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above FortiAP-W2 7.2 7.2.0 through 7.2.5 Upgrade to upcoming 7.2.6 or above Acknowledgement Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team. Timeline 2026-05-12: Initial publication IR Number FG-IR-26-133 Published Date May 12, 2026 Component CLI Severity Medium Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 6.5 Impact Escalation of privilege CVE ID CVE-2025-53870 Download CVRF CSAF