Heap-based buffer overflow in cw_acd daemon

Summary

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiSwitchManager cw_acd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
The presence of security controls such as ASLR and PIE considerably raises the complexity and preparation effort required for exploitation.

Workarrounds :

For each interface, remove "fabric" access. For example change :
config system interface
edit "port1"
set allowaccess fabric ssh https
next
end

to :
config system interface
edit "port1"
set allowaccess ssh https
next
end

or disallow access to the capwap daemon :

For each interface with the "fabric" service, block CAPWAP-CONTROL access to port 5246 to 5249 through a local-in policy.
config firewall service custom
edit "CAPWAP-CONTROL"
set udp-portrange 5246-5249
next
end
config firewall addrgrp
edit "CAPWAP_DEVICES_IPs"
set member "my_allowed_addresses"
end
config firewall local-in-policy
edit 1 (allow from trusted devices)
set intf "port1" (where fabric is enabled)
set srcaddr "CAPWAP_DEVICES_IPs"
set dstaddr "all"
set service "CAPWAP-CONTROL"
set schedule "always"
set action accept
next
edit 2 (block everyone else)
set intf "port1" (where fabric is enabled)
set srcaddr "all'
set dstaddr "all"
set service "CAPWAP-CONTROL"
set schedule "always"
set action deny
next
end

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security Team.

Timeline

2026-01-13: Initial publication
2026-01-19: added details about security controls.
2026-02-23: removed FortiOS 6.4.17 from fixed version