FortiSOAR 2FA Bypass: Replay Attack Raises Authentication Concerns

/HIGH
SCW vulnerabilitycvehigh-severitycwe-287
FortiSOAR 2FA Bypass: Replay Attack Raises Authentication Concerns

The National Vulnerability Database (NVD) has disclosed CVE-2026-23708, detailing an improper authentication vulnerability affecting Fortinet FortiSOAR PaaS (versions 7.6.0-7.6.3 and 7.5.0-7.5.2) and FortiSOAR on-premise (versions 7.6.0-7.6.3 and 7.5.0-7.5.2). This vulnerability, rated with a CVSS score of 7.5 (HIGH), could allow an unauthenticated attacker to bypass two-factor authentication (2FA).

The attack vector, categorized as CWE-287 (Improper Authentication), involves an attacker intercepting and decrypting authentication traffic. They can then replay a captured 2FA request. The NVD notes that successful exploitation requires precise timing, as the replay must occur before the token expires, increasing the attack’s complexity. However, ‘high complexity’ doesn’t mean ‘impossible,’ especially for determined adversaries with sufficient resources and network access.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1553.005 Multi-Factor Authentication Deregistration Defense Evasion

🛡️ Detection Rules

3 rules · 5 SIEM formats

3 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-23708

Sigma Splunk SPL Sentinel KQL Elastic QRadar AQL

Get this rule in your SIEM's native format — copy, paste, detect. No manual conversion.

3 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get Detection Rules →

Indicators of Compromise

IDTypeIndicator
CVE-2026-23708 Auth Bypass Fortinet FortiSOAR PaaS versions 7.6.0 through 7.6.3
CVE-2026-23708 Auth Bypass Fortinet FortiSOAR PaaS versions 7.5.0 through 7.5.2
CVE-2026-23708 Auth Bypass Fortinet FortiSOAR on-premise versions 7.6.0 through 7.6.3
CVE-2026-23708 Auth Bypass Fortinet FortiSOAR on-premise versions 7.5.0 through 7.5.2
CVE-2026-23708 Auth Bypass Improper authentication via replaying captured 2FA request

By Shimi's Cyber World Editorial

Related Posts

Critical RCE Flaw Hits NuGet Gallery Backend

CVE-2026-39399 — NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-20cwe-22
/CRITICAL /⚑ 4 IOCs

BoidCMS LFI to RCE: A Critical Template Flaw

CVE-2026-39387 — BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...

vulnerabilityCVEhigh-severityremote-code-executioncwe-98
/HIGH /⚑ 4 IOCs

Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk

CVE-2026-35589 — nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...

vulnerabilityCVEhigh-severitycwe-1385
/HIGH /⚑ 5 IOCs