Fortinet Patches Five Vulnerabilities Across FortiAP, FortiOS, and Enterprise Products

Fortinet released security advisories on May 12, 2026, addressing five vulnerabilities spanning its wireless access point controllers, network operating system, and enterprise management platforms, including a critical unauthenticated authorization bypass in FortiSandbox.

Critical Flaw in FortiSandbox

The most severe vulnerability disclosed is CVE-2026-26083 (FG-IR-26-136), a missing authorization flaw affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS.

Rated Critical, this GUI-accessible vulnerability requires no authentication, meaning a remote attacker could potentially access restricted functionality or sensitive sandbox analysis data without any credentials.

Affected versions include FortiSandbox 5.0 and 4.4, FortiSandbox Cloud 24, 23, and 5.0, and FortiSandbox PaaS versions spanning 22.1 through 23.4. The unauthenticated attack surface makes this the highest-priority patch in the batch.

Dual CLI Command Injection in FortiAP

Two separate OS command injection vulnerabilities were disclosed affecting Fortinet’s wireless access point firmware.

CVE-2025-53680 (FG-IR-26-131) involves improper neutralization of special elements in OS commands within the FortiAP CLI, affecting FortiAP 6.4 through 7.6, FortiAP-U 6.2 and 7.0, and FortiAP-W2 7.0 through 7.4.

A second CLI injection flaw, CVE-2025-53870 (FG-IR-26-133), independently affects FortiAP 6.4 through 7.6 and FortiAP-W2 7.0 through 7.4.

Both are rated Medium severity and require authenticated internal access, but successful exploitation could allow an attacker with CLI access to execute arbitrary OS-level commands on the access point hardware.

DoS Risk in FortiAnalyzer and FortiManager API

CVE-2025-67604 (FG-IR-26-137) exposes a use of a potentially dangerous function vulnerability in the API layer of both FortiAnalyzer and FortiManager. Rated Medium, the flaw affects FortiAnalyzer and FortiManager versions 7.0 through 8.0 across both product lines.

An authenticated internal attacker could trigger a denial-of-service condition through the API, potentially disrupting centralized log analysis and network management operations — critical components in enterprise SOC environments.

Out-of-Bounds Write in FortiOS CAPWAP Daemon

CVE-2025-53844 (FG-IR-26-123) is an out-of-bounds write vulnerability residing in the CAPWAP (Control and Provisioning of Wireless Access Points) daemon within FortiOS.

Affecting FortiOS 7.2, 7.4, and 7.6, this flaw could allow an attacker with control over an access point endpoint to send malformed CAPWAP traffic and potentially crash or compromise the FortiOS process.

The vector is listed as “Others/Internal/Authenticated,” suggesting the attack requires a foothold within a trusted network segment or rogue AP scenario.

CVE	Product	Severity	Vector	Auth Required
CVE-2026-26083	FortiSandbox / Cloud / PaaS	Critical	GUI	No
CVE-2025-53680	FortiAP, FortiAP-U, FortiAP-W2	Medium	CLI	Yes
CVE-2025-53870	FortiAP, FortiAP-W2	Medium	CLI	Yes
CVE-2025-67604	FortiAnalyzer, FortiManager	Medium	API	Yes
CVE-2025-53844	FortiOS	Medium	CAPWAP	Yes

Organizations running affected Fortinet products should prioritize patching CVE-2026-26083 immediately, given its Critical rating and unauthenticated attack surface.

For the remaining medium-severity flaws, security teams should apply available patches during their next maintenance window, restrict CLI and API access to trusted administrators only, and monitor internal network traffic for anomalous CAPWAP or API activity.

Fortinet’s PSIRT advisory page remains the authoritative source for patch version details and workarounds.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Fortinet Patches Five Vulnerabilities Across FortiAP, FortiOS, and Enterprise Products appeared first on Cyber Security News.