High

Stack-based buffer overflow in Fortinet FortiOS CAPWAP daemon

IdentifiersCVE-2025-53843CWE-121· Stack-based Buffer Overflow

CVE-2025-53843 is a stack-based buffer overflow vulnerability affecting Fortinet FortiOS, including versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, and all versions in the 7.2, 7.0, and 6.4 branches. The available reporting indicates the flaw is in the FortiOS/FortiSwitchManager CAPWAP daemon and is triggered by specially crafted packets. The vulnerability stems from improper handling of stack memory, allowing an overwrite of adjacent stack data and potentially control-flow-relevant values. Publicly available content does not disclose the exact vulnerable function, packet format, or code path. One source in the provided content characterizes exploitation as enabling arbitrary code or command execution as a low-privileged user and notes the presence of stack protections and ASLR.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in unauthorized code execution or command execution on the affected FortiOS device. Based on the provided content, execution may occur in the context of a low-privileged user associated with the vulnerable daemon. This could allow an attacker to compromise the affected appliance, run attacker-controlled commands, and potentially use the device as a foothold for further operations depending on local privilege boundaries and appliance role.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the vulnerable CAPWAP-related service path as much as operationally feasible. Based on the provided content, exploitation may require the attacker to pose as an authorized FortiAP or FortiExtender, so organizations should strictly limit which devices can communicate with the affected service, isolate management and CAPWAP traffic to trusted networks, restrict onboarding of AP/extender devices, and monitor for anomalous or malformed CAPWAP packets and unexpected device registrations. These are interim measures only; patching is the primary mitigation.

Remediation

Patch, then assume compromise.

Upgrade affected FortiOS installations to a vendor-fixed release. The vulnerable versions identified in the provided content are FortiOS 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, and all versions of the 7.2, 7.0, and 6.4 branches. The specific fixed versions are not provided in the supplied content, so remediation should follow Fortinet PSIRT guidance for CVE-2025-53843 / advisory FG-IR-25-358 and move systems to the first patched release in each supported branch.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FortinetFortiosoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cisecurity blog msisca and eiisacNews

Nov 18, 2025

Multiple Vulnerabilities in Fortinet Products Could Allow for Arbitrary Code Execution

A stack-based buffer overflow in FortiOS and FortiSwitchManager CAPWAP daemon that could allow remote code execution by an authenticated attacker posing as a FortiAP or FortiExtender.

zeropath blogNews

Nov 18, 2025

Fortinet FortiOS CVE-2025-53843 Stack-Based Buffer Overflow: Brief Summary and Version Impact - ZeroPath Blog | ZeroPath

A stack-based buffer overflow vulnerability in Fortinet FortiOS that can be triggered by specially crafted packets, potentially allowing arbitrary code or command execution on affected devices.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-53843

NVD

nvd.nist.gov/vuln/detail/CVE-2025-53843

MITRE CWE · CWE-121

Stack-based Buffer Overflow

Vendor Advisory

fortiguard.fortinet.com/psirt/FG-IR-25-358

cert-portal.siemens.com

cert-portal.siemens.com/productcert/html/ssa-864900.html