Published on February 10, 2026
CVE-2026-22153 – FortiOS Authentication Bypass Vulnerability Lets Attackers Bypass LDAP Authentication
Severity: High
Detail
Fortinet has revealed a high-severity vulnerability in FortiOS, identified as CVE-2026-22153 (FG-IR-25-1052), which enables unauthenticated attackers to bypass LDAP authentication in Agentless VPN or Fortinet Single Sign-On (FSSO) policies.
The flaw, categorized under CWE-305 (Authentication Bypass by Primary Weakness), resides in the fnbamd daemon and is triggered by specific LDAP server configurations that allow unauthenticated binds.
This issue arises from improper handling of LDAP authentication requests. In environments permitting anonymous binds, attackers could exploit the weakness to gain unauthorized access without valid credentials.
Fortinet has assigned a High severity rating under CVSS v3.1, noting that while the vulnerability is network-accessible, it requires moderately complex attack conditions. Potential impacts include weakened access controls, opening the door to unauthorized entry into protected networks through SSL-VPN components.
Affected Version
Only FortiOS 7.6.0 through 7.6.4 are vulnerable. Other branches like 8.0, 7.4, 7.2, 7.0, and 6.4 remain unaffected.
| FortiOS Version | Affected Sub-versions | Solution |
| 8.0 | Not affected | N/A |
| 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.5 or above |
| 7.4 | Not affected | N/A |
| 7.2 | Not affected | N/A |
| 7.0 | Not affected | N/A |
| 6.4 | Not affected | N/A |
Recommendation
Administrators should upgrade to FortiOS 7.6.5 or later, following the official upgrade path tool. Fortinet urges immediate patching for exposed SSL-VPN deployments to mitigate risks in enterprise environments reliant on LDAP integration.
Workaround:
Disable unauthenticated bind on the LDAP server.
For example, LDAP unauthenticated binds can be disabled in Windows Active Directory (starting from Windows Server 2019) via the following PowerShell code snippet:
$configDN = (Get-ADRootDSE).configurationNamingContext
$dirSvcDN = “CN=Directory Service,CN=Windows NT,CN=Services,$configDN”
Set-ADObject -Identity $dirSvcDN -Add @{‘msDS-Other-Settings’=’DenyUnauthenticatedBind=1’}
Source