Critical FortiOS Vulnerability Allows Attackers to Bypass LDAP Authentication
Fortinet has recently disclosed a significant security vulnerability in its FortiOS software, identified as CVE-2026-22153 (FG-IR-25-1052). This flaw enables unauthenticated attackers to circumvent LDAP authentication mechanisms, potentially granting unauthorized access to networks protected by Agentless VPN or Fortinet Single Sign-On (FSSO) policies.
Understanding the Vulnerability
Classified under CWE-305 (Authentication Bypass by Primary Weakness), this vulnerability resides within the fnbamd daemon of FortiOS. The issue arises when the system improperly handles LDAP authentication requests, particularly in configurations that permit unauthenticated binds. In such setups, an attacker could exploit this weakness to gain access without valid credentials, posing a significant risk to network security.
Affected Versions and Recommended Actions
The vulnerability specifically affects FortiOS versions 7.6.0 through 7.6.4. Other versions, including 8.0, 7.4, 7.2, 7.0, and 6.4, are not impacted. To mitigate this risk, Fortinet advises administrators to upgrade to FortiOS version 7.6.5 or later. Detailed guidance on the upgrade process is available through Fortinet’s official upgrade path tool.
Workaround Measures
In scenarios where immediate upgrading is not feasible, Fortinet recommends disabling unauthenticated binds on the LDAP server as a temporary measure. For organizations utilizing Windows Active Directory (Server 2019 and later), the following PowerShell commands can be executed to enforce this setting:
“`powershell
$configDN = (Get-ADRootDSE).configurationNamingContext
$dirSvcDN = CN=Directory Service,CN=Windows NT,CN=Services,$configDN
Set-ADObject -Identity $dirSvcDN -Add @{‘msDS-Other-Settings’=’DenyUnauthenticatedBind=1’}
“`
Discovery and Disclosure
The vulnerability was responsibly reported by Jort Geurts from the Actemium Cyber Security Team. Fortinet publicly acknowledged and detailed the issue on February 10, 2026, emphasizing the importance of prompt remediation to maintain network integrity.
Implications for Network Security
The exploitation of this vulnerability could lead to unauthorized access to sensitive network resources, undermining the security of enterprise environments that rely on LDAP integration for authentication. Such breaches can result in data exfiltration, disruption of services, and potential lateral movement within the network by malicious actors.
Broader Context of FortiOS Vulnerabilities
This disclosure is part of a series of security challenges identified in FortiOS. For instance, CVE-2026-24858, another critical authentication bypass vulnerability, was recently reported. This flaw allows attackers with a FortiCloud account and a registered device to access other devices registered to different accounts when FortiCloud SSO authentication is enabled. The exploitation of such vulnerabilities underscores the necessity for continuous vigilance and timely application of security patches.
Recommendations for Administrators
1. Immediate Upgrade: Prioritize upgrading to FortiOS version 7.6.5 or later to address the CVE-2026-22153 vulnerability.
2. Disable Unauthenticated Binds: If upgrading is delayed, implement the provided PowerShell commands to disable unauthenticated binds on the LDAP server.
3. Review Authentication Configurations: Regularly audit and adjust authentication settings to ensure they align with best security practices, minimizing exposure to potential exploits.
4. Monitor for Unusual Activity: Establish robust monitoring mechanisms to detect and respond to unauthorized access attempts promptly.
Conclusion
The CVE-2026-22153 vulnerability in FortiOS highlights the critical importance of proactive security measures and timely system updates. By adhering to Fortinet’s recommendations and maintaining vigilant security practices, organizations can effectively mitigate the risks associated with this and similar vulnerabilities, thereby safeguarding their network infrastructures against potential threats.
