A new security advisory from Fortinet highlights a serious weakness in FortiOS that could let attackers slip past authentication controls in certain environments.
The issue, tracked as CVE-2026-22153, affects how FortiOS handles LDAP-based authentication when used with features like Agentless VPN and Fortinet Single Sign-On (FSSO). In specific configurations, an external attacker may be able to gain access without providing valid credentials.
How the authentication bypass happens
At the core of the problem is the fnbamd authentication service inside FortiOS. Under particular LDAP server settings — especially those that allow unauthenticated or anonymous bind requests — the system may incorrectly process login attempts. Instead of properly rejecting an unauthorized request, the flow can result in access being granted.
This means an attacker on the network could potentially reach protected resources tied to SSL-VPN or identity-based policies, even though they never successfully authenticated through LDAP. While the attack requires certain conditions to be present, environments using less restrictive LDAP configurations face increased risk.
Impacts
◆ Attackers may bypass LDAP authentication under specific setups
◆ SSL-VPN and identity-based access policies can be exposed
◆ Unauthorized access to internal network resources becomes possible
◆ Risk is higher where anonymous LDAP binds are allowed
Fortinet rates the issue as high severity due to its network exposure and the potential for access control failures, even though it depends on configuration choices rather than a simple plug-and-play exploit.
Only the FortiOS 7.6 branch is affected, specifically versions 7.6.0 through 7.6.4. Other major release lines remain unaffected. The recommended fix is upgrading to FortiOS 7.6.5 or later using the official upgrade path.
For organizations that cannot patch immediately, tightening LDAP settings can reduce exposure. Disabling unauthenticated binds on the LDAP server — particularly in Windows Active Directory environments — helps prevent the vulnerable condition from being triggered.
This vulnerability was responsibly reported by a security researcher and serves as another reminder that authentication security depends not just on the firewall, but also on how backend identity services are configured.
Leave A Comment