Fortinet Discloses High-Severity OS Command Injection in FortiAP, FortiAP-U, and FortiAP-W2 CLI
Fortinet disclosed a high-severity OS command injection vulnerability in the CLI of FortiAP, FortiAP-U, and FortiAP-W2 devices, allowing authenticated privileged attackers to execute arbitrary commands.
Fortinet has disclosed a high-severity OS command injection vulnerability, tracked as FG-IR-26-131, affecting the CLI of FortiAP, FortiAP-U, and FortiAP-W2 wireless access point devices. The flaw, classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), carries a CVSS score of 6.1 and allows an authenticated privileged attacker to execute unauthorized code or commands via specially crafted CLI requests.
The vulnerability stems from improper sanitization of special elements within CLI input, enabling an attacker with administrative access to inject arbitrary OS commands. While the CVSS score is moderate due to the requirement for authenticated privileged access, the potential impact is significant because FortiAP devices are widely deployed as enterprise wireless access points, often in sensitive network segments. Successful exploitation could allow an attacker to pivot from the device to other internal systems, exfiltrate data, or disrupt network operations.
Fortinet's advisory lists multiple affected versions across three product lines. For FortiAP, versions 7.6.0 through 7.6.2 are affected, with the fix in 7.6.3; versions 7.4.0 through 7.4.5 are affected, fixed in 7.4.6; and all versions of FortiAP 7.2 and 6.4 are affected, with no patch available—users must migrate to a fixed release. For FortiAP-U, versions 7.0.0 through 7.0.5 are affected, fixed in 7.0.6. For FortiAP-W2, versions 7.4.0 through 7.4.4 are affected, fixed in 7.4.5, and all versions of FortiAP-W2 7.2 are affected, requiring migration to a fixed release.
The vulnerability was internally discovered and reported by Shrikant Patil from the FortiAP development team, indicating that no external researchers or threat actors were involved in the disclosure. Fortinet has not reported any active exploitation of this vulnerability in the wild as of the publication date. The advisory was published on May 12, 2026, with no additional timeline details provided.
This disclosure adds to a growing list of command injection vulnerabilities in network infrastructure devices, which remain a favored target for attackers seeking initial access or lateral movement within enterprise networks. Fortinet customers are advised to prioritize patching or migration, especially for end-of-life versions like FortiAP 6.4 and 7.2, which have no direct patch and require a product upgrade. Network administrators should also review CLI access controls and limit privileged accounts to reduce the attack surface.
The advisory was revised on May 12, 2026, to include additional affected versions: FortiAP 7.2 and 6.4 (all versions, with migration to fixed releases required) and FortiAP-W2 7.2.0 through 7.2.5 (upgrade to upcoming 7.2.6 or above). The vulnerability, internally discovered by Fortinet's Gwendal Guégniaud, carries a CVSSv3 score of 6.5 and requires authenticated access to the CLI, limiting the attack surface to privileged users.