CVE-2021-26093
CVE-2021-26093 is a high-severity vulnerability in Fortinet Fortiwlc with a CVSS 3.x base score of 7.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-824.
Key facts
- Severity: High (CVSS 3.x base score 7.3)
- EPSS exploit prediction: 0% (6th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2021-12914
- Weakness: CWE-824
- Affected product: Fortinet Fortiwlc
- Published:
- Last modified:
Description
An access of uninitialized pointer (CWE-824) vulnerability in FortiWLC versions 8.6.0, 8.5.3 and earlier may allow a local and authenticated attacker to crash the access point being managed by the controller by executing a crafted CLI command.
Frequently asked questions
- What is CVE-2021-26093?
- An access of uninitialized pointer (CWE-824) vulnerability in FortiWLC versions 8.6.0, 8.5.3 and earlier may allow a local and authenticated attacker to crash the access point being managed by the controller by executing a crafted CLI command.
- How severe is CVE-2021-26093?
- CVE-2021-26093 has a CVSS 3.x base score of 7.3, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability high.
- Is CVE-2021-26093 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (6th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-26093?
- CVE-2021-26093 affects Fortinet Fortiwlc. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-26093?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2021-26093 have an EU (EUVD) identifier?
- Yes. CVE-2021-26093 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-12914.
- When was CVE-2021-26093 published?
- CVE-2021-26093 was published on 2024-12-19 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:fortinet:fortiwlc:*:*:*:*:*:*:*:*
More vulnerabilities in Fortinet Fortiwlc
- CVE-2017-17540 — Critical (CVSS 9.8): The presence of a hardcoded account in Fortinet FortiWLC 8.3.3 allows attackers to gain unauthorized read/write access…
- CVE-2017-17539 — Critical (CVSS 9.8): The presence of a hardcoded account in Fortinet FortiWLC 7.0.11 and earlier allows attackers to gain unauthorized…
- CVE-2016-7560 — Critical (CVSS 9.8): The rsyncd server in Fortinet FortiWLC 6.1-2-29 and earlier, 7.0-9-1, 7.0-10-0, 8.0-5-0, 8.1-2-0, and 8.2-4-0 has a…
- CVE-2016-8491 — Critical (CVSS 9.1): The presence of a hardcoded account named 'core' in Fortinet FortiWLC allows attackers to gain unauthorized read/write…
- CVE-2021-42758 — High (CVSS 8.8): An improper access control vulnerability [CWE-284] in FortiWLC 8.6.1 and below may allow an authenticated and remote…
- CVE-2017-7341 — High (CVSS 7.2): An OS Command Injection vulnerability in Fortinet FortiWLC 6.1-2 through 6.1-5, 7.0-7 through 7.0-10, 8.0 through 8.2,…
All CVEs affecting Fortinet Fortiwlc →
Other CWE-824 vulnerabilities
- CVE-2009-0846 — Critical (CVSS 10.0): The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT…
- CVE-2007-2442 — Critical (CVSS 10.0): The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote…
- CVE-2026-2805 — Critical (CVSS 9.8): Invalid pointer in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
- CVE-2026-2785 — Critical (CVSS 9.8): Invalid pointer in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8,…
- CVE-2022-46280 — Critical (CVSS 9.8): A use of uninitialized pointer vulnerability exists in the PQS format pFormat functionality of Open Babel 3.1.1 and…
- CVE-2022-44451 — Critical (CVSS 9.8): A use of uninitialized pointer vulnerability exists in the MSI format atom functionality of Open Babel 3.1.1 and master…