PSIRT Out-of-bounds access in CAPWAP daemon Summary An Out-Of-Bounds Write vulnerability [CWE-787] in FortiOS capwap daemon may allow an attacker controlling an authenticated FortiAP FortiExtender or FortiSwitch to gain execution privileges on the FortiGate device Version Affected Solution FortiOS 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above FortiOS 7.4 7.4.0 through 7.4.8 Upgrade to 7.4.9 or above FortiOS 7.2 7.2.0 through 7.2.11 Upgrade to 7.2.12 or above Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool Workarounds : Disable capwap daemon : ```config global config system global set wireless-controller disable end **Post-Change Configuration Validation** show full | grep wireless-controller set wireless-controller disable set wireless-controller-port 5246 show full | grep fortiextender set fortiextender disable set fortiextender-data-port 25246 set fortiextender-discovery-lockdown disable set fortiextender-provision-on-authorization disable set fortiextender-vlan-mode disable ``` Acknowledgement Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team. Timeline 2026-05-12: Initial publication IR Number FG-IR-26-123 Published Date May 12, 2026 Component OTHERS Severity High Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 8.3 Impact Execute unauthorized code or commands CVE ID CVE-2025-53844 Download CVRF CSAF