CVE-2026-22153: FortiOS LDAP Authentication Bypass (Agentless VPN / FSSO)
Overview
CVE-2026-22153 is an authentication bypass vulnerability affecting specific versions of FortiOS. The issue exists in the fnbamd authentication component and can allow an unauthenticated attacker to bypass LDAP authentication under certain LDAP server configurations.
This vulnerability affects FortiOS 7.6.0 through 7.6.4.
All other supported FortiOS branches, including 6.4, 7.0, 7.2, 7.4, and 8.0, are not affected.
What Is the Issue?
FortiOS can use LDAP servers, such as Active Directory, to authenticate users for:
- Agentless VPN
- Fortinet Single Sign-On (FSSO) policies
Under normal operation, FortiOS sends user credentials to the LDAP server. The server validates them and returns either success or failure.
If the LDAP server allows unauthenticated or anonymous binds, FortiOS may incorrectly interpret the LDAP response as successful authentication, even when no valid credentials were provided.
This results in an authentication bypass, classified as CWE-305.
Conditions Required for Exploitation
This vulnerability is not automatically exploitable. All of the following must be true:
- The device is running FortiOS 7.6.0 to 7.6.4
- LDAP is used for authentication through Agentless VPN or FSSO policy
- The backend LDAP server allows unauthenticated binds
- The attacker can reach the authentication interface
If anonymous binds are disabled on the LDAP server, the bypass condition does not exist.
What Is an Unauthenticated Bind?
In LDAP, a bind operation is how a client authenticates to the directory.
Normal secure flow:
- Client sends username and password
- LDAP validates credentials
- The server returns success or failure
Unauthenticated bind behavior:
- Client connects without valid credentials
- The directory still responds
- Authentication enforcement is not properly applied
If this permissive configuration exists, the FortiOS flaw may treat that response as valid authentication.
Impact
If successfully exploited, an attacker could:
- Bypass LDAP-based authentication
- Gain unauthorized VPN access
- Access resources protected by FSSO policies
The severity depends on exposure and configuration, but authentication bypass vulnerabilities are inherently high risk when all required conditions are present.
Affected Versions
| FortiOS Version | Status | Action |
|---|---|---|
| 8.0 | Not affected | None |
| 7.6.0 to 7.6.4 | Affected | Upgrade to 7.6.5 or later |
| 7.4 | Not affected | None |
| 7.2 | Not affected | None |
| 7.0 | Not affected | None |
| 6.4 | Not affected | None |
Remediation
Primary Recommendation
Upgrade to FortiOS 7.6.5 or later.
Follow the official upgrade path using Fortinet’s upgrade tool: https://www.fortiguard.com/psirt/FG-IR-25-1052
Immediate Mitigation if Upgrade Is Delayed
Disable unauthenticated binds on the LDAP server.
For Windows Server 2019 and later with Active Directory, this can be done using:
$configDN = (Get-ADRootDSE).configurationNamingContext
$dirSvcDN = "CN=Directory Service,CN=Windows NT,CN=Services,$configDN"
Set-ADObject -Identity $dirSvcDN -Add @{'msDS-Other-Settings'='DenyUnauthenticatedBind=1'}This removes the triggering condition entirely.
Why This Matters
Authentication bypass vulnerabilities weaken the primary security boundary, which is identity verification.
In this case, the issue depends on a directory configuration detail that many organizations overlook. Reviewing LDAP configuration is a good defensive practice even if you are not running a vulnerable FortiOS version.
Key Takeaways
- Only FortiOS 7.6.0 to 7.6.4 is affected
- LDAP authentication must be in use
- The LDAP server must allow unauthenticated binds
- Upgrade to 7.6.5 or later
- Disable anonymous binds as a best practice