Fortinet dropped 22 security patches on March 11, 2026, including a FortiOS authentication bypass (CVE-2026-22153) that lets unauthenticated attackers slip past LDAP-based VPN and FSSO policies. The same patch cycle addresses a heap buffer overflow (CVE-2025-25249) in FortiOS and FortiSwitchManager enabling remote code execution. Ivanti simultaneously patched a high-severity auth bypass in Endpoint Manager. If you manage FortiGate firewalls, Ivanti EPM, or Intel-based infrastructure, here's your prioritized action plan.
TL;DR: FortiOS 7.6.0–7.6.4 has an auth bypass that grants unauthorized network access without credentials. Patch to 7.6.5+ immediately if you use Agentless VPN or FSSO with LDAP.
The Fortinet Patch Dump: What Actually Matters
Fortinet released fixes for 22 security defects across its portfolio. Here's the breakdown of what you need to care about:
| CVE | Product | CVSS | Impact | Exploited? |
|---|---|---|---|---|
| CVE-2026-22153 | FortiOS 7.6.0–7.6.4 | 7.2 | Auth bypass (LDAP/VPN/FSSO) | No |
| CVE-2025-25249 | FortiOS, FortiSASE, FortiSwitchManager | 7.4 | RCE via heap overflow | No |
| CVE-2026-24018 | FortiClientLinux | 7.4 | Local privesc to root | No |
| CVE-2026-30897 | FortiOS API | 5.9 | Stack overflow / code exec | No |
| N/A | FortiWeb | High | Auth rate-limit bypass | No |
| N/A | FortiSwitchAXFixed | High | Unauthorized cmd exec | No |
None are currently exploited in the wild. But Fortinet's track record says exploitation follows disclosure by days, not weeks. CVE-2026-24858 — a related FortiOS SSO auth bypass — was actively exploited in January 2026 with attackers creating rogue admin accounts before patches even shipped.
CVE-2026-22153: The Auth Bypass You Need to Fix Today
This is a CWE-288 authentication bypass in FortiOS that lets an unauthenticated attacker bypass LDAP authentication for Agentless VPN or FSSO policies. Successful exploitation grants unauthorized access to network resources without valid credentials.
The catch: it requires a specific LDAP server configuration. But Agentless VPN and FSSO are exactly the features that enterprise networks deploy at scale. If your FortiGate authenticates remote users or maps AD users to firewall policies via FSSO, you're in the blast radius.
Affected: FortiOS 7.6.0 through 7.6.4
Fix: Update to FortiOS 7.6.5+
CVE-2025-25249: Heap Overflow → Remote Code Execution
A heap-based buffer overflow (CWE-122) in the cw_acd daemon of FortiOS and FortiSwitchManager. Remote unauthenticated attackers can execute arbitrary code via crafted requests.
The version spread is brutal:
- FortiOS 7.6.0–7.6.3
- FortiOS 7.4.0–7.4.8
- FortiOS 7.2.0–7.2.11
- FortiOS 7.0.0–7.0.17
- FortiOS 6.4.0–6.4.16
- FortiSwitchManager 7.2.0–7.2.5
- FortiSwitchManager 7.0.0–7.0.5
That covers essentially every FortiOS release train still in production.
Ivanti: Two More Auth Problems
Ivanti released patches in Endpoint Manager 2024 SU5:
| CVE | CVSS | Impact |
|---|---|---|
| CVE-2026-1603 | 7.4 | Auth bypass exposing credential data |
| CVE-2026-1602 | 5.3 | SQL injection |
CVE-2026-1603 is the bigger concern — an auth bypass that exposes credential data remotely. Given Ivanti's history (CVE-2025-22457 in Connect Secure was a zero-day RCE exploited before the patch), don't sit on this one.
Your Prioritized Patching Plan
Based on severity, exploitability, and typical network exposure:
Priority 1: FortiOS 7.6.x (CVE-2026-22153) — This Week
If you run Agentless VPN or FSSO with LDAP authentication, this is job #1.
# Check your current FortiOS version
get system status
# Verify LDAP server configuration
show user ldap
# Check if Agentless VPN or FSSO is configured
show user fsso
diagnose debug application fssod -1
Priority 2: FortiOS/FortiSwitchManager (CVE-2025-25249) — Within 2 Weeks
The heap overflow affects nearly all FortiOS versions. Attack complexity is high, but impact is full RCE. Schedule alongside your CVE-2026-22153 patching.
Priority 3: FortiClientLinux (CVE-2026-24018) — Next Maintenance Window
Local privesc to root via symlink following. If you deploy FortiClient on Linux endpoints, queue it up.
Priority 4: Ivanti EPM (CVE-2026-1603) — Within 2 Weeks
Update to EPM 2024 SU5. Auth bypass + credential exposure = potential cascade.
Priority 5: Intel UEFI Firmware — Next Quarterly Window
Intel published advisory INTEL-SA-01234 with nine UEFI vulnerabilities across 45+ processor models. Five rated high severity. Requires local access, so lower urgency — but UEFI compromises persist across OS reinstalls.
Why Does Fortinet Keep Having Auth Bypasses?
This is the pattern that should concern you: multiple authentication bypass vulnerabilities within Q1 2026 alone.
CVE-2026-24858 was actively exploited as a zero-day in January:
- Attackers created unauthorized local admin accounts on FortiGate appliances
- Downloaded full device configurations (including VPN credentials)
- Modified firewall policies to enable persistent access
Now CVE-2026-22153 arrives — another auth bypass, same vulnerability class (CWE-288). This suggests a systemic issue in how FortiOS handles authentication flows.
If Fortinet is your primary perimeter defense:
- Don't rely solely on FortiGate for auth — integrate with a dedicated IdP
- Enforce MFA at every layer
- Monitor for config changes via FortiAnalyzer or SIEM
- Consider defense-in-depth beyond a single-vendor auth stack
Post-Patch: Check for Pre-Patch Exploitation
Even after patching, verify these weren't exploited before your update window:
For CVE-2026-22153 (LDAP bypass):
# Check for unexpected VPN sessions
diagnose vpn tunnel list
get vpn ssl monitor
# Review admin login history
diagnose sys admin list
# Check for unauthorized policy changes
execute log filter device 0
execute log filter category 1
execute log display
For CVE-2025-25249 (heap overflow):
# Monitor crashlog for cw_acd daemon
diagnose debug crashlog read
# Check for unexpected processes
fnsysctl ls -la /tmp/
For Ivanti EPM (CVE-2026-1603):
- Review EPM audit logs for unusual auth events
- Check for new/modified admin accounts
- Monitor SQL query logs for injection patterns
The Bigger March 2026 Picture
This wasn't just Fortinet and Ivanti. March 2026 was one of the heaviest patch loads of the year:
- Microsoft: 83 vulnerabilities including two publicly disclosed zero-days
- Adobe: 80 vulnerabilities across eight products
- SAP: Critical NetWeaver flaws
- Siemens, Schneider, Moxa, Mitsubishi Electric: ICS/OT patches
If you haven't built an automated patch validation pipeline (test → staging → production), March 2026 is your wake-up call.
Originally published at FirstPassLab. More deep dives on network security engineering at firstpasslab.com.
Disclosure: This article was adapted from original research with AI assistance in editing and formatting.
Top comments (0)