FortiOS Authentication Bypass Vulnerability Lets Attackers Bypass LDAP Authentication

Fortinet has disclosed a high-severity authentication bypass vulnerability in FortiOS, tracked as CVE-2026-22153 (FG-IR-25-1052), that could allow unauthenticated attackers to sidestep LDAP authentication for Agentless VPN or Fortinet Single Sign-On (FSSO) policies.

Classified under CWE-305 (Authentication Bypass by Primary Weakness), the flaw resides in the fnbamd daemon and requires specific LDAP server configurations enabling unauthenticated binds.

The issue stems from improper handling of LDAP authentication requests. An attacker could exploit this under certain setups, such as those permitting anonymous binds, to gain unauthorized access without valid credentials.

Fortinet rates it High severity with a CVSS v3.1, highlighting network accessibility but moderate attack complexity. Impacts include improper access control, potentially leading to unauthorized entry into protected networks via SSL-VPN components.

Affected Versions and Fixes

Only FortiOS 7.6.0 through 7.6.4 are vulnerable. Other branches like 8.0, 7.4, 7.2, 7.0, and 6.4 remain unaffected. Administrators should upgrade to FortiOS 7.6.5 or later, following the official upgrade path tool.

As a workaround, disable unauthenticated binds on the LDAP server. For Windows Active Directory (Server 2019+), use this PowerShell snippet:

text$configDN = (Get-ADRootDSE).configurationNamingContext
$dirSvcDN = "CN=Directory Service,CN=Windows NT,CN=Services,$configDN"
Set-ADObject -Identity $dirSvcDN -Add @{'msDS-Other-Settings'='DenyUnauthenticatedBind=1'}

Discovered by Jort Geurts of the Actemium Cyber Security Team via responsible disclosure, the advisory was published today. Fortinet urges immediate patching for exposed SSL-VPN deployments to mitigate risks in enterprise environments reliant on LDAP integration.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.