Fortinet Discloses Critical Out-of-Bounds Write Vulnerability in FortiOS CAPWAP Daemon
Fortinet has disclosed a critical out-of-bounds write vulnerability in the FortiOS CAPWAP daemon that could allow an attacker controlling an authenticated FortiAP, FortiExtender, or FortiSwitch to gain execution privileges on the FortiGate device.
Fortinet has disclosed a critical out-of-bounds write vulnerability (CWE-787) in the FortiOS CAPWAP daemon, tracked as FG-IR-26-123 with a CVSSv3 score of 8.3. The flaw, discovered internally by Fortinet Product Security team member Gwendal Guégniaud, could allow an attacker controlling an authenticated FortiAP, FortiExtender, or FortiSwitch to gain execution privileges on the FortiGate device. The advisory was revised on May 12, 2026, with patches now available for all affected versions.
The vulnerability resides in the CAPWAP daemon, which handles Control and Provisioning of Wireless Access Points protocol traffic. An attacker who has already compromised an authenticated FortiAP, FortiExtender, or FortiSwitch can send specially crafted CAPWAP packets to trigger an out-of-bounds write, potentially leading to arbitrary code execution on the FortiGate. This attack vector requires the attacker to first gain control of an authenticated device, but the high severity score reflects the potential for complete compromise of the FortiGate once exploited.
FortiOS versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, and 7.2.0 through 7.2.11 are affected. Fortinet has released patches in FortiOS 7.6.4, 7.4.9, and 7.2.12, respectively. The company strongly recommends upgrading to the latest versions using their upgrade tool at https://docs.fortinet.com/upgrade-tool.
For organizations unable to immediately patch, Fortinet has provided a workaround: disabling the CAPWAP daemon entirely. This can be done via the CLI by running `config global config system global set wireless-controller disable`, followed by disabling FortiExtender support with `set fortiextender disable`. After applying the workaround, administrators should validate the changes with `show full | grep wireless-controller` and `show full | grep fortiextender`.
No evidence of in-the-wild exploitation has been reported at the time of disclosure. However, given the critical nature of the vulnerability and the potential for privilege escalation on FortiGate devices, Fortinet is urging all customers to prioritize patching. The CAPWAP daemon is a core component in Fortinet's wireless networking infrastructure, making this flaw particularly concerning for organizations relying on FortiAP and FortiSwitch deployments.
This disclosure follows a broader trend of vulnerabilities in network infrastructure devices, where flaws in protocol daemons can serve as entry points for lateral movement within enterprise networks. Fortinet's internal discovery and responsible disclosure process highlights the importance of proactive security research, but the high CVSS score underscores the need for rapid patch deployment in environments using Fortinet wireless solutions.