On January 13, 2026, Fortinet released an advisory describing a high-severity remote code execution vulnerability affecting its FortiOS and FortiSwitchManager products. According to Fortinet, the vulnerability stems from a flaw in the CAPWAP Wireless Aggregate Controller Daemon and could allow an unauthenticated, remote threat actor to execute arbitrary code or commands. The vulnerability was discovered internally by Fortinet’s Product Security Team.
Fortinet recommends upgrading to the latest fixed version to address this vulnerability as soon as possible. For situations where near-term upgrade is not practical, they also provide a workaround to remove “fabric” access from each interface.
Historically, threat actors have targeted Fortinet products to gain initial access. Although this recent FortiOS and FortiSwitchManager vulnerability is not known to be exploited in the wild and public proof-of-concept (PoC) exploit code is not available at this time, threat actors will likely attempt to leverage this flaw to access organizations’ networks in the future.
Recommendations For CVE-2025-25249
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version of affected Fortinet products. FortiOS runs on products such as FortiGate Next-Generation Firewalls, FortiGate VM, and FortiWiFi.
For more details on the vulnerability and affected products, see the advisory page.
| Product | Affected Version | Fixed Version |
| FortiOS 7.6 | 7.6.0 through 7.6.3 | 7.6.4 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.8 | 7.4.9 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.11 | 7.2.12 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.17 | 7.0.18 or above |
| FortiOS 6.4 | 6.4.0 through 6.4.16 | 6.4.17 or above |
| FortiSwitchManager 7.2 | 7.2.0 through 7.2.6 | 7.2.7 or above |
| FortiSwitchManager 7.0 | 7.0.0 through 7.0.5 | 7.0.6 or above |
| FortiSASE 25.1.a | 25.1.a | Migrate to a fixed release |
Note: The following FortiSASE versions are unaffected: 22, 23.1, 23.2, 23.3, 24.4, 25.2.
Workaround
If immediate patching is not an option, Fortinet recommends removing “fabric” access or disallowing access to the CAPWAP daemon. Steps to do so can be found in their advisory.
References
