Fortinet FortiOS and FortiSASE Stack-Based Buffer Overflow Vulnerability in CAPWAP Daemon Allowing Arbitrary Code Execution

A stack-based buffer overflow vulnerability has been identified in Fortinet FortiOS versions 7.6.0 to 7.6.3, 7.4.0 to 7.4.8, and all versions of FortiOS 7.2, 7.0, 6.4, 6.2, and 6.0. Additionally, FortiSASE 25.3.b is affected. This vulnerability allows remote, unauthenticated attackers on an adjacent network to execute arbitrary code or commands by sending specially crafted packets. In the default configuration, exploitation requires control of an authorized FortiAP and access to the same local IP subnet. Successful exploitation also necessitates bypassing stack protection and Address Space Layout Randomization (ASLR).

Impact

Exploitation of this vulnerability could lead to unauthorized code execution on the affected device.

Remediation

Users of Fortinet FortiOS should upgrade to FortiOS 7.6.4, 7.4.9, or migrate to a fixed release for FortiOS 7.2, 7.0, 6.4, 6.2, and 6.0. Fortinet FortiSASE 25.3.b users do not need to take any action, as this issue has been remediated in FortiSASE 25.3.c.