CVE-2025-53870

MEDIUM

Fortinet FortiAP - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Title source: rule

Description

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiAP 7.6.0 through 7.6.2, FortiAP 7.4.0 through 7.4.5, FortiAP 7.2 all versions, FortiAP 7.0 all versions, FortiAP 6.4 all versions, FortiAP-W2 7.4.0 through 7.4.4, FortiAP-W2 7.2 all versions, FortiAP-W2 7.0 all versions may allow an authenticated attacker to execute unauthorized code or commands via a specifically crafted cli command.

References (1)

Core 1

Core References

https://fortiguard.fortinet.com/psirt/FG-IR-26-133

Scores

CVSS v3 6.7

EPSS 0.0004

EPSS Percentile 12.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (10)

fortinet/fortiap 6.4.0 - 7.4.6

Fortinet/FortiAP 6.4.3 - 6.4.9

Fortinet/FortiAP 7.0.0 - 7.0.7

Fortinet/FortiAP 7.2.0 - 7.2.6

Fortinet/FortiAP 7.4.0 - 7.4.5

Fortinet/FortiAP 7.6.0 - 7.6.2

Fortinet/FortiAP-W2 7.0.0 - 7.0.8

Fortinet/FortiAP-W2 7.2.0 - 7.2.5

fortinet/fortiap-w2 7.2.0 - 7.2.6

Fortinet/FortiAP-W2 7.4.0 - 7.4.4

Published May 12, 2026

Tracked Since May 12, 2026