.webp "FSSO LDAP Authentication Bypass Security Flaw")
A critical vulnerability in its FortiOS platform that lets attackers sidestep LDAP authentication for Agentless VPN and Fortinet Single Sign-On (FSSO) policies.
Tracked as FG-IR-25-1052 and CVE-2026-22153, the flaw stems from an improper access control issue in the fnbamd daemon, classified under CWE-305.
Published on February 10, 2026, it carries a high severity rating with a CVSSv3 score of 7.5.
| Field | Details |
|---|---|
| Severity | High |
| CVSSv3 Score | 7.5 |
| Impact | Improper access control |
| CVE ID | CVE-2026-22153 |
At its core, the problem arises under specific LDAP server setups where unauthenticated binds are allowed. An attacker without valid credentials can exploit this to impersonate users and gain unauthorized access to protected resources.
This affects FSSO policies, which rely on LDAP for seamless single sign-on across Fortinet firewalls, and Agentless VPN tunnels that don’t require client software.
Security researchers warn that in environments with misconfigured LDAP, such as those that permit anonymous binds, attackers could chain this with network access to pivot deeper into corporate networks.
AFFECTED VERSION TABLE
| Version | Affected | Solution |
|---|---|---|
| FortiOS 8.0 | Not affected | Not Applicable |
| FortiOS 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.5 or above |
| FortiOS 7.4 | Not affected | Not Applicable |
| FortiOS 7.2 | Not affected | Not Applicable |
| FortiOS 7.0 | Not affected | Not Applicable |
| FortiOS 6.4 | Not affected | Not Applicable |
The vulnerability hinges on how FortiOS’s fnbamd handles LDAP queries. Normally, it verifies user identities against the LDAP server before enforcing policies.
But if the server supports unauthenticated binds (a legacy feature in some directories), fnbamd fails to enforce proper checks, letting crafted requests slip through.
Jort Geurts from the Actemium Cyber Security Team discovered and responsibly reported the issue, earning Fortinet’s acknowledgement.
Impacted versions include FortiOS 7.6.0 through 7.6.4. Earlier branches such as 7.4, 7.2, 7.0, and 6.4, as well as the newer 8.0, remain unaffected. Fortinet urges immediate upgrades to 7.6.5 or later.
As a temporary fix, admins can turn off unauthenticated binds on the LDAP server. For Windows Active Directory (from Server 2019 onward), this PowerShell snippet does the trick:
$configDN = (Get-ADRootDSE).configurationNamingContext
$dirSvcDN = "CN=Directory Service,CN=Windows NT,CN=Services,$configDN"
Set-ADObject -Identity $dirSvcDN -Add @{'msDS-Other-Settings'='DenyUnauthenticatedBind=1'}
Experts emphasize auditing LDAP configurations enterprise-wide, as this flaw highlights risks in legacy authentication methods. Fortinet’s PSIRT team released CVRF and CSAF feeds for automated ingestion.
This incident underscores the need for modern auth hardening, such as binding only to LDAP and enabling multi-factor enforcement, amid rising VPN-targeted attacks.
Site: cybersecuritypath.com
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
