CVE-2025-53680 PUBLISHED

Assigner: fortinet
Reserved: 08.07.2025 Published: 12.05.2026 Updated: 13.05.2026

An improper neutralization of special elements used in an OS command ("OS Command Injection") vulnerability [CWE-78] vulnerability in Fortinet FortiAP 7.6.0 through 7.6.2, FortiAP 7.4.0 through 7.4.5, FortiAP 7.2 all versions, FortiAP 7.0 all versions, FortiAP 6.4 all versions, FortiAP-U 7.0.0 through 7.0.5, FortiAP-U 6.2 all versions, FortiAP-W2 7.4.0 through 7.4.4, FortiAP-W2 7.2 all versions, FortiAP-W2 7.0 all versions allows an authenticated privileged attacker to execute unauthorized code or commands via crafted CLI requests.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
CVSS Score: 6.1

Product Status

Vendor Fortinet
Product FortiAP
Versions Default: unaffected
  • affected from 7.6.0 to 7.6.2 (incl.)
  • affected from 7.4.0 to 7.4.5 (incl.)
  • affected from 7.2.0 to 7.2.6 (incl.)
  • affected from 7.0.0 to 7.0.7 (incl.)
  • affected from 6.4.3 to 6.4.9 (incl.)
Vendor Fortinet
Product FortiAP-W2
Versions Default: unaffected
  • affected from 7.4.0 to 7.4.4 (incl.)
  • affected from 7.2.0 to 7.2.5 (incl.)
  • affected from 7.0.0 to 7.0.8 (incl.)
Vendor Fortinet
Product FortiAP-U
Versions Default: unaffected
  • affected from 7.0.0 to 7.0.5 (incl.)
  • affected from 6.2.0 to 6.2.6 (incl.)

Solutions

Upgrade to FortiAP-U version 7.0.6 or above Upgrade to FortiAP-W2 version 7.4.5 or above Upgrade to FortiAP version 7.6.3 or above Upgrade to FortiAP version 7.4.6 or above

References

Problem Types

  • Execute unauthorized code or commands CWE