Fortinet dropped 22 security patches on March 11, 2026, including a FortiOS authentication bypass (CVE-2026-22153) that lets unauthenticated attackers slip past LDAP-based VPN and FSSO policies. The same patch cycle addresses a heap buffer overflow (CVE-2025-25249) in FortiOS and FortiSwitchManager enabling remote code execution. Ivanti simultaneously patched a high-severity auth bypass in Endpoint Manager. If you manage FortiGate firewalls, Ivanti EPM, or Intel-based infrastructure, you need to act on these this week.
Key Takeaway: FortiOS 7.6.0–7.6.4 users face an authentication bypass that can grant unauthorized network access without valid credentials — patch to 7.6.5+ immediately, especially if you use Agentless VPN or FSSO policies with remote LDAP.
What Fortinet Vulnerabilities Were Patched in March 2026?
Fortinet released fixes for 22 security defects across its product portfolio on March 11, 2026, according to SecurityWeek. The high-severity flaws span FortiOS, FortiWeb, FortiSwitchManager, FortiSwitchAXFixed, FortiManager, and FortiClientLinux — hitting nearly every layer of a typical Fortinet deployment.
Here’s the breakdown of the most critical issues:
| CVE | Product | Severity | CVSS | Impact | Exploited? |
|---|---|---|---|---|---|
| CVE-2026-22153 | FortiOS 7.6.0–7.6.4 | High | 7.2 | Auth bypass (LDAP/Agentless VPN/FSSO) | No (as of March 2026) |
| CVE-2025-25249 | FortiOS, FortiSASE, FortiSwitchManager | High | 7.4 | Remote code execution (heap overflow) | No |
| CVE-2026-24018 | FortiClientLinux | High | 7.4 | Local privilege escalation to root | No |
| CVE-2026-30897 | FortiOS API | Medium | 5.9 | Stack buffer overflow / code execution | No |
| N/A | FortiWeb | High | — | Auth rate-limit bypass | No |
| N/A | FortiSwitchAXFixed | High | — | Unauthorized command execution | No |
| N/A | FortiManager | High | — | Unauthorized code execution | No |
Fortinet stated none of these are currently exploited in the wild. But that’s cold comfort — Fortinet’s track record shows exploitation often follows disclosure by days, not weeks. CVE-2026-24858, a related FortiOS SSO authentication bypass, was actively exploited in January 2026 with attackers creating rogue local admin accounts before patches rolled out.
How Does CVE-2026-22153 Work and Why Should You Care?
CVE-2026-22153 is an authentication bypass vulnerability (CWE-288) in FortiOS that allows an unauthenticated attacker to bypass LDAP authentication for Agentless VPN or FSSO (Fortinet Single Sign-On) policies. According to Singapore’s Cyber Security Agency (CSA), successful exploitation grants unauthorized access to network resources without valid credentials.
The vulnerability requires a specific LDAP server configuration, which limits the attack surface somewhat. But here’s the problem: Agentless VPN and FSSO are precisely the features that enterprise networks deploy at scale. If your FortiGate authenticates remote users or maps AD users to firewall policies via FSSO, you’re in the blast radius.
Affected versions: FortiOS 7.6.0 through 7.6.4
Fix: Update to FortiOS 7.6.5 or later
For CCIE Security candidates, this vulnerability is a textbook example of what the blueprint calls “authentication, authorization, and accounting (AAA) troubleshooting.” The exam tests your ability to diagnose exactly this kind of auth chain failure — where a misconfigured or vulnerable authentication mechanism allows policy bypass.
What About the FortiOS Heap Buffer Overflow (CVE-2025-25249)?
CVE-2025-25249 is a heap-based buffer overflow (CWE-122) in the cw_acd daemon of FortiOS and FortiSwitchManager that allows a remote unauthenticated attacker to execute arbitrary code via crafted requests. According to Arctic Wolf’s analysis, the attack complexity is rated high, but successful exploitation gives attackers full control over the device.
The affected version spread is extensive:
- FortiOS 7.6.0–7.6.3
- FortiOS 7.4.0–7.4.8
- FortiOS 7.2.0–7.2.11
- FortiOS 7.0.0–7.0.17
- FortiOS 6.4.0–6.4.16
- FortiSwitchManager 7.2.0–7.2.5
- FortiSwitchManager 7.0.0–7.0.5
That covers essentially every FortiOS release train still in production. If you’re running FortiGate or FortiSwitchManager anywhere in your network, this one applies to you.
The cw_acd daemon handles call distribution and management functions. A heap overflow here means an attacker can corrupt memory structures and redirect execution — the classic path to remote code execution on a network appliance. Fortinet’s internal security team (Gwendal Guégniaud) discovered this one, which means it was caught before wild exploitation. But the proof-of-concept details are now public knowledge.
What Ivanti Vulnerabilities Were Fixed?
Ivanti released patches in Endpoint Manager 2024 SU5 addressing two vulnerabilities, according to Action1’s Patch Tuesday analysis:
| CVE | Severity | CVSS | Impact |
|---|---|---|---|
| CVE-2026-1603 | High | 7.4 | Authentication bypass exposing credential data |
| CVE-2026-1602 | Medium | 5.3 | SQL injection |
CVE-2026-1603 is the bigger concern. It’s an authentication bypass that can expose credential data remotely — meaning attackers don’t need to be on the internal network. Ivanti states there’s no evidence of exploitation yet, but given Ivanti’s history (CVE-2025-22457 in Connect Secure was a zero-day RCE exploited before the patch), rapid patching is warranted.
For network engineers managing Ivanti EPM alongside Fortinet firewalls, this means two separate patch cycles hitting simultaneously. Both are high-severity auth bypasses. Both need your attention this week.
How Does the Intel UEFI Advisory Fit In?
Intel published advisory INTEL-SA-01234 describing nine UEFI vulnerabilities across its reference platforms, five of which are rated high severity. These affect firmware on over 45 Intel processor models and could enable local code execution, privilege escalation, and information disclosure.
While UEFI vulnerabilities aren’t directly in your firewall management workflow, they matter if you’re running Intel-based servers for network management stations, RADIUS servers, or ISE policy nodes. A compromised UEFI persists across OS reinstalls — it’s about as deep as an attacker can get.
No evidence of exploitation exists, and these require local access, so they’re lower priority than the Fortinet and Ivanti patches. But add them to your quarterly firmware maintenance window.
What’s Your Prioritized Patching Plan?
Based on severity, exploitability, and typical network exposure, here’s the recommended patching order:
Priority 1: FortiOS 7.6.x (CVE-2026-22153) — Patch This Week
If you run Agentless VPN or FSSO with LDAP authentication, this is your top priority. An unauthenticated attacker bypassing your VPN auth is a direct path to lateral movement.
# Check your current FortiOS version
get system status
# Verify LDAP server configuration
show user ldap
# Check if Agentless VPN or FSSO is configured
show user fsso
diagnose debug application fssod -1
Priority 2: FortiOS/FortiSwitchManager (CVE-2025-25249) — Patch Within 2 Weeks
The heap overflow in cw_acd affects nearly all FortiOS versions. Attack complexity is high, but the impact is remote code execution. Schedule this alongside your CVE-2026-22153 patching if possible.
Priority 3: FortiClientLinux (CVE-2026-24018) — Next Maintenance Window
Local privilege escalation to root via symlink following. If you deploy FortiClient on Linux endpoints, patch at your next scheduled maintenance window. The local access requirement limits immediate risk.
Priority 4: Ivanti EPM (CVE-2026-1603) — Patch Within 2 Weeks
Update to EPM 2024 SU5. The auth bypass exposes credential data, which could cascade into broader compromise if Ivanti EPM manages your endpoint fleet.
Priority 5: Intel UEFI Firmware — Next Quarterly Window
Schedule BIOS/UEFI updates for Intel-based infrastructure servers. Low urgency but high persistence risk if exploited.
Why Does Fortinet Keep Having Auth Bypass Vulnerabilities?
This is the pattern that should concern every network security engineer: Fortinet has disclosed multiple authentication bypass vulnerabilities within the first quarter of 2026 alone. CVE-2026-24858 was actively exploited as a zero-day in January, with attackers creating local admin accounts and modifying firewall policies before Fortinet released patches.
According to SOCPrime’s analysis, attackers leveraged CVE-2026-24858 to:
- Create unauthorized local admin accounts on FortiGate appliances
- Download full device configurations (including VPN credentials)
- Modify firewall policies to enable persistent access
Now CVE-2026-22153 arrives — another auth bypass, this time targeting LDAP-backed authentication. The vulnerability class is the same (CWE-288: Authentication Bypass Using an Alternate Path or Channel), suggesting a systemic issue in how FortiOS handles authentication flows.
For organizations running Fortinet as their primary perimeter defense, this trend demands a layered security approach. Don’t rely solely on FortiGate for authentication — integrate with a dedicated identity provider, enforce MFA at every layer, and monitor for configuration changes via FortiAnalyzer or a SIEM.
This is also directly relevant to anyone studying for CCIE Security — the exam blueprint tests your ability to architect defense-in-depth, and real-world CVE patterns like this illustrate exactly why single-vendor authentication stacks are a liability.
How Should You Monitor for Exploitation Attempts?
Even after patching, you should monitor for indicators that these vulnerabilities were exploited before your patch window:
For CVE-2026-22153 (FortiOS LDAP bypass):
# Check for unexpected VPN sessions
diagnose vpn tunnel list
get vpn ssl monitor
# Review admin login history
diagnose sys admin list
# Check for unauthorized policy changes
execute log filter device 0
execute log filter category 1
execute log display
For CVE-2025-25249 (heap overflow):
# Monitor crashlog for cw_acd daemon
diagnose debug crashlog read
# Check for unexpected processes
fnsysctl ls -la /tmp/
For Ivanti EPM (CVE-2026-1603):
- Review EPM audit logs for unusual authentication events
- Check for new or modified admin accounts
- Monitor SQL query logs for injection patterns
The New York State advisory also flags SQL injection flaws in FortiOS that could be chained with the auth bypass — review your FortiAnalyzer logs for any anomalous SQL-pattern traffic hitting your FortiGate management interfaces.
What’s the Bigger Picture for March 2026 Patch Tuesday?
This isn’t just Fortinet and Ivanti. March 2026 was a massive patch cycle across the industry:
- Microsoft patched 83 vulnerabilities including two publicly disclosed zero-days, per CrowdStrike’s analysis
- Adobe fixed 80 vulnerabilities across eight products
- SAP addressed critical NetWeaver flaws
- Siemens, Schneider, Moxa, Mitsubishi Electric released ICS/OT patches
For network engineers managing multi-vendor environments — which is every enterprise — March 2026 represents one of the heaviest patch loads of the year. If you haven’t already built an automated patch validation pipeline (test patch → staging deployment → production rollout), this month is your wake-up call.
If you’re preparing for CCIE Security and wondering about vulnerability management skills, this is precisely the kind of operational security knowledge that separates lab-only candidates from engineers who pass — the blueprint expects you to understand defense-in-depth beyond single-vendor stacks.
Frequently Asked Questions
What Fortinet CVEs were patched in March 2026?
Fortinet patched 22 vulnerabilities on March 11, 2026, including CVE-2026-22153 (FortiOS LDAP auth bypass affecting versions 7.6.0–7.6.4), CVE-2025-25249 (heap buffer overflow for remote code execution in FortiOS and FortiSwitchManager), and high-severity flaws in FortiWeb, FortiSwitchAXFixed, FortiManager, and FortiClientLinux.
Is CVE-2026-22153 being actively exploited?
Fortinet has not confirmed active exploitation of CVE-2026-22153 as of March 2026. However, CVE-2026-24858 — a related FortiOS SSO authentication bypass — was actively exploited in January 2026, with attackers creating rogue admin accounts before patches were available. Rapid patching is essential given this pattern.
What Ivanti vulnerabilities were fixed in March 2026?
Ivanti released patches for CVE-2026-1603 (high-severity authentication bypass, CVSS 7.4) and CVE-2026-1602 (medium-severity SQL injection) in Endpoint Manager. Both are fixed in EPM 2024 SU5. No exploitation has been observed.
Which FortiOS versions are affected by CVE-2026-22153?
FortiOS versions 7.6.0 through 7.6.4 are affected by CVE-2026-22153, the LDAP authentication bypass vulnerability. Update to FortiOS 7.6.5 or later immediately, particularly if you use Agentless VPN or FSSO policies.
How does this relate to CCIE Security?
Understanding vulnerability classes like authentication bypass (CWE-288), heap buffer overflow (CWE-122), and privilege escalation is fundamental to the CCIE Security v6.1 blueprint. These real-world CVEs demonstrate the diagnostic reasoning and defense-in-depth architecture that the lab exam tests.
Staying ahead of multi-vendor vulnerability cycles is part of the job for senior network security engineers. Need help building the skills that turn CVE advisories into actionable security architecture? Reach out on Telegram @phil66xx for a free assessment.