Fortinet has issued a high-severity security advisory regarding a vulnerability in specific versions of its FortiOS operating system.
The flaw, identified as CVE-2026-22153, could allow unauthorized attackers to bypass authentication mechanisms, potentially granting them access to critical network resources.
The vulnerability is rooted in the fnbamd daemon, the component responsible for handling authentication requests within the Fortigate firewall.
Under specific configurations, this flaw allows an attacker to bypass the Lightweight Directory Access Protocol (LDAP) authentication used for Agentless VPNs and Fortinet Single Sign-On (FSSO) policies.
How the Vulnerability Works
The issue is classified as an “Authentication Bypass by Primary Weakness” (CWE-305).
It occurs when the FortiOS device interacts with an LDAP server, such as Microsoft Active Directory, that is configured to allow “unauthenticated binds.”
| Field | Value |
|---|---|
| CVE ID | CVE-2026-22153 |
| Severity | High |
| CVSSv3 Score | 7.5 |
In a standard scenario, the firewall checks a user’s credentials against the LDAP server to grant access.
However, due to this bug, if the backend LDAP server is too permissive (allowing anonymous or unauthenticated connections), the firewall may incorrectly validate a request, allowing an attacker to bypass the login requirement entirely.
Fortinet has assigned this vulnerability a CVSSv3 score of 7.5, classifying it as High Severity.
Successful exploitation could allow an unauthenticated attacker to bypass policy enforcement for Agentless VPNs or FSSO.
This could lead to unauthorized network entry or access to protected resources without valid credentials.
Fortinet strongly recommends that organizations using the affected 7.6.x software branch upgrade to FortiOS 7.6.5 or higher immediately.
If an immediate upgrade is not feasible, a workaround is available: administrators can turn off unauthenticated binds on their LDAP server.
For Windows Active Directory environments (Server 2019 and later), this can be enforced via PowerShell by setting the DenyUnauthenticatedBind flag to 1.
This configuration change prevents the LDAP server from accepting the anonymous connections that facilitate this exploit.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
