The vulnerability is an OS command injection flaw that allows an authenticated privileged user to craft and send malicious CLI requests to a Fortinet FortiAP access point, leading to execution of arbitrary operating‑system commands. This can compromise the confidentiality, integrity, and availability of the device and any connected network segments.

Affected devices include Fortinet FortiAPs, FortiAP‑U, and FortiAP‑W2. Versions ranging from FortiAP 7.6.0 through 7.6.2, FortiAP 7.4.0 through 7.4.5, all 7.2 releases, all 7.0 releases, all 6.4 releases, FortiAP‑U 7.0.0 through 7.0.5 as well as all 6.2 releases, FortiAP‑W2 7.4.0 through 7.4.4, all 7.2 releases, and all 7.0 releases are impacted.

The CVSS score of 6.1 indicates a medium severity assessment, but the nature of the flaw—unauthorized command execution—raises the threat level. Exploitation requires authentication with privileged credentials and network access to the device’s CLI interface, characteristics that typically align with a compromised internal user or an attacker who has gained foothold and then escalated privileges. No EPSS score is available and the vulnerability is not currently listed in CISA’s KEV catalog, suggesting that no widespread public exploits have been observed. Nevertheless, the potential impact of full device compromise warrants close attention and timely mitigation.