virus logo PSIRT

LDAP authentication bypass in Agentless VPN and FSSO

Summary

An Authentication Bypass by Primary Weakness vulnerability [CWE-305] in FortiOS fnbamd may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, under specific LDAP server configuration.

Version Affected Solution
FortiOS 8.0 Not affected Not Applicable
FortiOS 7.6 7.6.0 through 7.6.4 Upgrade to 7.6.5 or above
FortiOS 7.4 Not affected Not Applicable
FortiOS 7.2 Not affected Not Applicable
FortiOS 6.4 Not affected Not Applicable
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Workaround:

Disable unauthenticated bind on the LDAP server.

For example, LDAP unauthenticated binds can be disabled in Windows Active Directory (starting from Windows Server 2019) via the following PowerShell code snippet:

$configDN = (Get-ADRootDSE).configurationNamingContext
$dirSvcDN = "CN=Directory Service,CN=Windows NT,CN=Services,$configDN"
Set-ADObject -Identity $dirSvcDN -Add @{'msDS-Other-Settings'='DenyUnauthenticatedBind=1'}

Acknowledgement

Fortinet is pleased to thank Jort Geurts from the Actemium Cyber Security Team for reporting this vulnerability under responsible disclosure.

Timeline

2026-02-10: Initial publication
IR Number FG-IR-25-1052
Published Date Feb 10, 2026
Component SSL-VPN
Severity High
Discovered External
Attack Type Unauthenticated
Known Exploited No
CVSSv3 Score 7.5
Impact Improper access control
CVE ID
Download

CVRF

CSAF