CVE-2026-22153
FortiOS 脆弱性の分析と軽減

概要

CVE-2026-22153 is an Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Fortinet FortiOS affecting the fnbamd daemon. It allows unauthenticated attackers to bypass LDAP authentication for Agentless VPN or FSSO (Fortinet Single Sign-On) policies when the remote LDAP server is configured in a specific way (i.e., permitting unauthenticated binds). The vulnerability affects FortiOS versions 7.6.0 through 7.6.4; FortiOS 7.4, 7.2, 6.4, and 8.0 are not affected. It was publicly disclosed on February 10, 2026, with a CVSSv3 score of 7.5–8.1 (High) (FortiGuard Advisory, Feedly).

技術的な詳細

The root cause lies in the fnbamd component of FortiOS, which handles authentication for Agentless VPN and FSSO policies. When the backend LDAP server is configured to allow unauthenticated (anonymous) binds, FortiOS fails to enforce proper credential validation, enabling an attacker to bypass the authentication check entirely — classified as CWE-305 (Authentication Bypass by Primary Weakness). The attack is network-based, requires no privileges or user interaction, but does depend on the specific LDAP server configuration (unauthenticated binds enabled), making it conditionally exploitable. The vulnerability was discovered externally and reported by Jort Geurts from the Actemium Cyber Security Team under responsible disclosure (FortiGuard Advisory). Public proof-of-concept exploit code has been published on GitHub (PoC-1, PoC-2).

影響

Successful exploitation allows an unauthenticated network attacker to circumvent LDAP-based authentication controls and gain unauthorized access to resources protected by Agentless VPN or FSSO policies. This results in high confidentiality and integrity impact — attackers could access sensitive data and modify system configurations without valid credentials. Availability may also be affected depending on what resources are exposed through the bypassed authentication mechanism (FortiGuard Advisory, Feedly).

エクスプロイテーションのステップ

  1. Reconnaissance: Identify internet-facing FortiOS appliances running versions 7.6.0–7.6.4 using tools like Shodan or Censys, filtering for FortiGate/FortiOS banners on VPN or management interfaces.
  2. Verify LDAP configuration: Determine whether the target FortiOS device is configured to use LDAP authentication for Agentless VPN or FSSO, and whether the backend LDAP server permits unauthenticated (anonymous) binds — a prerequisite for exploitation.
  3. Craft authentication bypass request: Send a crafted authentication request to the Agentless VPN or FSSO endpoint that exploits the fnbamd daemon's failure to enforce credential validation when the LDAP server accepts unauthenticated binds.
  4. Bypass authentication: The FortiOS fnbamd component performs an unauthenticated LDAP bind against the backend server; because the server accepts it, the authentication check succeeds without valid credentials.
  5. Gain unauthorized access: With authentication bypassed, the attacker gains access to resources protected by the Agentless VPN or FSSO policy, potentially enabling lateral movement, data exfiltration, or further network compromise (FortiGuard Advisory, PoC-1).

妥協の兆候

  • Network: Unexpected or anomalous authentication attempts to Agentless VPN or FSSO endpoints from unknown or external IP addresses; LDAP anonymous bind requests originating from the FortiOS appliance to the backend LDAP server.
  • Logs: FortiOS authentication logs (fnbamd logs) showing successful LDAP authentication events without corresponding valid user credentials; LDAP server logs showing anonymous bind operations from the FortiGate IP address.
  • Authentication Events: Successful VPN or FSSO session establishments from IP addresses or user accounts not previously seen, particularly without corresponding valid LDAP credentials in directory logs.
  • LDAP Server: Unusual volume of anonymous bind requests from the FortiGate management IP; Windows Active Directory event logs (Event ID 2889) indicating unsigned LDAP binds if monitoring is enabled.

軽減策と回避策

Fortinet has released FortiOS 7.6.5 as the patched version; organizations running FortiOS 7.6.0 through 7.6.4 should upgrade immediately using the Fortinet upgrade path tool at https://docs.fortinet.com/upgrade-tool (FortiGuard Advisory). As an immediate workaround, disable unauthenticated (anonymous) binds on the backend LDAP server. For Windows Active Directory (Windows Server 2019 and later), this can be enforced via PowerShell:

$configDN = (Get-ADRootDSE).configurationNamingContext
$dirSvcDN = "CN=Directory Service,CN=Windows NT,CN=Services,$configDN"
Set-ADObject -Identity $dirSvcDN -Add @{'msDS-Other-Settings'='DenyUnauthenticatedBind=1'}

Organizations should also review LDAP server configurations to ensure anonymous binds are disabled as a security baseline regardless of patching status (FortiGuard Advisory).

コミュニティの反応

The vulnerability received coverage from multiple cybersecurity news outlets including CyberSecurityNews, eSecurity Planet, and CyberPress shortly after disclosure on February 10, 2026 (CyberSecurityNews, eSecurity Planet). The Center for Internet Security (CIS) included it in a multi-vulnerability Fortinet advisory (CIS Advisory), and Belgium's Centre for Cybersecurity issued a warning urging immediate patching. Community discussion on LinkedIn and Bluesky noted the conditional nature of the exploit (requiring specific LDAP server configuration), which somewhat limits its severity in practice.

関連情報


ソースこのレポートは AI を使用して生成されました

関連 FortiOS 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2025-53844HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
いいえはいMay 12, 2026
CVE-2025-53847HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
いいえはいApr 14, 2026
CVE-2026-22153HIGH8.1
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
いいえはいFeb 10, 2026
CVE-2025-67862MEDIUM6.7
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
いいえはいJun 09, 2026
CVE-2025-61624MEDIUM6.5
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
いいえはいApr 14, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者