On 13 January 2026, Fortinet released an ?describing a high-severity remote code execution vulnerability affecting its?FortiOS?and?FortiSwitchManager?products. According to Fortinet, the vulnerability stems from a flaw in the CAPWAP Wireless Aggregate Controller Daemon and could allow an unauthenticated, remote threat actor to execute arbitrary code or commands. The vulnerability was discovered internally by Fortinet¡¯s Product Security Team.?
Fortinet recommends upgrading to the latest fixed version to address this vulnerability as soon as possible. For situations where near-term upgrade is not practical, they also provide a workaround to remove ¡°fabric¡± access from each interface.?
Historically, threat actors have?targeted Fortinet products to gain initial access. Although this recent?FortiOS?and?FortiSwitchManager?vulnerability is not known to be exploited in the wild and public proof-of-concept (PoC) exploit code is not available at this time, threat actors will?likely?attempt?to leverage?this flaw?to access organisations’ networks in the future.?
Recommendations For CVE-2025-25249
Upgrade to Latest Fixed Version
Arctic Wolf?strongly recommends?that customers upgrade to the latest fixed version of affected Fortinet products.?FortiOS?runs on products such as FortiGate Next-Generation Firewalls, FortiGate VM, and?FortiWiFi.?
For more details on the vulnerability and affected products, see the?.?
| Product? | Affected Version? | Fixed Version? |
| FortiOS?7.6? | 7.6.0 through 7.6.3? | 7.6.4 or above? |
| FortiOS?7.4? | 7.4.0 through 7.4.8? | 7.4.9 or above? |
| FortiOS?7.2? | 7.2.0 through 7.2.11? | 7.2.12 or above? |
| FortiOS?7.0? | 7.0.0 through 7.0.17? | 7.0.18 or above? |
| FortiOS?6.4? | 6.4.0 through 6.4.16? | 6.4.17 or above? |
| FortiSwitchManager?7.2? | 7.2.0 through 7.2.6? | 7.2.7 or above? |
| FortiSwitchManager?7.0? | 7.0.0 through 7.0.5? | 7.0.6 or above? |
| FortiSASE?25.1.a? | 25.1.a? | Migrate to a fixed release? |
Note: The following?FortiSASE?versions are unaffected: 22, 23.1, 23.2, 23.3, 24.4, 25.2.?
Workaround?
If immediate patching is not an option, Fortinet recommends removing ¡°fabric¡± access or disallowing access to the?CAPWAP daemon. Steps to do so can be found in?their?.?
References?
