Fortinet FG-IR-26-125 — CAPWAP Missing Authentication Enables Wireless Control Plane Takeover
FortiAP CAPWAP Missing Authentication (FG-IR-26-125)
Confidence: Medium
Fortinet disclosed FG-IR-26-125, a missing authentication vulnerability affecting the Control and Provisioning of Wireless Access Points (CAPWAP) daemon in FortiAP wireless controllers. The CAPWAP protocol is the standard mechanism for managing enterprise wireless access points and their control plane communications. Without authentication on critical functions, unauthenticated attackers can execute privileged operations against wireless infrastructure.
CAPWAP operates as the central nervous system of enterprise wireless networks. A compromise of the CAPWAP daemon provides adversaries with direct access to wireless controller functions, potentially enabling rogue access point provisioning, client traffic redirection, credential sniffing on wireless connections, and lateral movement into wired network segments traditionally considered protected by perimeter segmentation.
Fortinet published this advisory on 14 April 2026 as part of a continuing April advisory surge. UK and EU enterprises deploying FortiAP for wireless infrastructure should prioritise assessment of CAPWAP daemon exposure. Wireless networks traditionally considered internal and lower-risk are now directly exposed through this unauthenticated access path. Patch guidance is available via Fortinet PSIRT.
FortiSandbox Authentication Bypass + Privilege Escalation (FG-IR-26-112)
Confidence: Medium
Fortinet also disclosed FG-IR-26-112 affecting FortiSandbox appliances — distinct from yesterday's CVE-2026-39808 RCE on the same product line. This advisory covers an authentication bypass combined with privilege escalation, creating an alternative attack path for adversaries targeting Fortinet security infrastructure.
While yesterday's CVE-2026-39808 permitted direct unauthenticated RCE, FG-IR-26-112 achieves similar administrative access through a different mechanism: bypassing authentication controls and escalating privileges within the appliance environment. Both vulnerabilities require patching; this is not a duplicate coverage but an additional exposure surface on the same product family. The cumulative effect of these disclosures suggests sustained product security review or coordinated upstream discovery within Fortinet's codebase.
Fortinet Admin Interface Out-of-Bounds Write (FG-IR-26-127)
Confidence: Medium
The third Fortinet advisory from the April batch, FG-IR-26-127, identifies an out-of-bounds write vulnerability in Fortinet administrative interfaces. Published 15 April 2026, this finding represents the most recent disclosure in a sequence of 45+ Fortinet advisories this month.
Out-of-bounds write patterns historically enable denial-of-service conditions and potential code execution depending on memory layout and attack primitives. Administrative interfaces are high-value targets: they typically operate with elevated privileges, provide access to configuration stores, and serve as pivot points for broader network compromise. Organisations should review patch availability and prioritise administrative interface hardening in tandem with the CAPWAP and FortiSandbox patches.
Protobuf.js Pre-CVE Code Execution (GHSA-xq3m-2v4x-88gg)
Confidence: Medium
Endor Labs disclosed a critical vulnerability in protobufjs, the widely adopted JavaScript Protocol Buffers library with 50 million weekly npm downloads. The flaw enables arbitrary JavaScript code execution when processing untrusted Protobuf messages through unsafe dynamic code generation during deserialization.
This is a pre-CVE disclosure — no official CVE identifier has been assigned, and Google has not yet released a coordinated patch. Proof-of-concept exploit code is publicly available, compressing the exploitation window. The gap between disclosure, CVE assignment, patch release, and downstream deployment typically spans 2–4 weeks for high-usage libraries. During this window, any application processing untrusted Protobuf messages via protobufjs is exposed.
Development teams should audit dependency manifests for protobufjs usage. Where immediate patching is unavailable, sandboxing Protobuf processing or input validation at the application layer can reduce exposure until an official patch releases.
Update: Cisco ISE CVE-2026-20184 — Enterprise Identity Fabric
Confidence: Medium
Cisco disclosed CVE-2026-20184 alongside three companion CVEs affecting Identity Services Engine (ISE), the enterprise identity and network access control fabric widely deployed for 802.1X authentication in UK/EU organisations. Code execution flaws in authentication and identity services creates a particularly damaging exposure: compromise of the identity system enables adversaries to authenticate as legitimate users, bypass access controls, and persist within enterprise environments undetected.
Patches are available through Cisco's April security update cycle. Unlike perimeter firewalls which see regular patching cycles, enterprise identity infrastructure often receives slower patch adoption due to authentication dependency risks. Security teams should prioritise ISE patches over other April updates given the identity fabric's central role in enterprise access control.
Why This Matters
Fortinet's April advisory surge continues with three additional critical disclosures distinct from yesterday's FortiSandbox RCE. The cumulative impact is a sustained elevation of risk across Fortinet-deployed enterprises: perimeter (FortiSandbox), wireless control plane (CAPWAP), and administrative access surfaces all have confirmed high-severity exposures this week.
The security supply chain faces additional pressure from pre-CVE library disclosures. Protobufjs joins the risk surface with 50 million weekly downloads and publicly available exploit code before any official patch. Library-based attacks exploit the trust developers place in widely-adopted dependencies — a single compromised or vulnerable library cascades into thousands of downstream applications.
For UK/EU infrastructure defenders, this represents a simultaneous multi-vector exposure requiring prioritisation decisions under uncertainty. Fortinet CAPWAP affects wireless infrastructure historically considered lower-risk. Protobufjs affects application dependencies that may not be visible to security teams without software bill of materials tracking. Cisco ISE affects the identity systems that gate all other access.
Recommended Actions
- Immediate (0–24 hours):
- Inventory FortiAP deployments and assess CAPWAP daemon network exposure
- Audit software bill of materials for protobufjs dependencies; flag applications processing untrusted Protobuf messages
- Short-term (24–72 hours):
- Apply Fortinet patches for FG-IR-26-125 (CAPWAP), FG-IR-26-112 (FortiSandbox auth bypass), and FG-IR-26-127 (Admin OOB write)
- Prioritise Cisco ISE patching over lower-criticality April updates
- Ongoing:
- Implement SBOM tracking to enable rapid response to library vulnerabilities
- Review Chrome extension policies; audit enterprise deployments for the 108 malicious extensions reported this sweep
- Hold Windows April patches on domain controllers pending Microsoft's corrected build for reboot loop regression
All findings grounded in A13E intelligence sweeps through 04:35 UTC 20 April 2026.
- References
- Fortinet PSIRT, FG-IR-26-125 — CAPWAP missing authentication, 14 April 2026
- Fortinet PSIRT, FG-IR-26-112 — FortiSandbox authentication bypass + privilege escalation, 14 April 2026
- Fortinet PSIRT, FG-IR-26-127 — Admin interface out-of-bounds write, 15 April 2026
- NVD, CVE-2026-20184 — Cisco Identity Services Engine
- Cisco Security Advisories, April 2026 bundled publications
- NCSC UK, Improving your response to vulnerability management — operational guidance relevant to this week's Fortinet + Cisco patch surge
- CISA, Known Exploited Vulnerabilities Catalog — cross-reference for exploitation status