Hard-Coded Password Vulnerability in Fortinet Wireless Controllers
CVE-2021-22126

6.5MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortiwlc
Vendor: CVE Published:; 17 March 2025

What is CVE-2021-22126?

The Fortinet Wireless Controllers, specifically FortiWLC versions 8.5.2 and below, 8.4.8 and below, 8.3.3 to 8.3.2, and 8.2.7 to 8.2.6, contain a critical flaw due to hard-coded passwords. This vulnerability enables local, authenticated users to gain root access to the managed Access Points, namely Meru AP and FortiAP-U, bypassing authentication controls. Without changing default credentials, attackers could exploit this weakness to potentially compromise network integrity and sensitive information.

Affected Version(s)

FortiWLC 8.5.0 <= 8.5.2

FortiWLC 8.4.4 <= 8.4.8

FortiWLC 8.4.0 <= 8.4.2

References

https://fortiguard.fortinet.com/psirt/FG-IR-20-147

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 17, 2025
Vulnerability Reserved
Jan 4, 2021