CVE-2026-23708
Published: 14 April 2026
Summary
CVE-2026-23708 is a high-severity Improper Authentication (CWE-287) vulnerability in Fortinet Fortisoar. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Multi-Factor Authentication Interception (T1111); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents replay attacks on captured 2FA authentication requests by requiring replay-resistant authenticators, timestamps, or other session freshness mechanisms.
Addresses improper 2FA token handling by mandating secure generation, distribution, storage, and lifecycle management of authenticators to resist replay and compromise.
Mitigates the need to intercept and decrypt authentication traffic for replay by enforcing cryptographic confidentiality and integrity protections on transmitted 2FA requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables replay of captured 2FA tokens after traffic interception/decryption, directly facilitating MFA interception for unauthorized access.
NVD Description
A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The…
more
attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity.
Deeper analysisAI
CVE-2026-23708 is an improper authentication vulnerability (CWE-287) in Fortinet FortiSOAR PaaS versions 7.6.0 through 7.6.3 and 7.5.0 through 7.5.2, as well as FortiSOAR on-premise versions 7.6.0 through 7.6.3 and 7.5.0 through 7.5.2. Published on 2026-04-14, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). The issue stems from the ability to bypass authentication by replaying a captured two-factor authentication (2FA) request.
An unauthenticated attacker can exploit this vulnerability by intercepting and decrypting authentication traffic, then replaying the 2FA request with precise timing before the token expires. This raises the attack complexity, as indicated by the high attack complexity (AC:H) and required user interaction (UI:R) in the CVSS vector. Successful exploitation grants the attacker high levels of confidentiality, integrity, and availability impact.
Mitigation details are available in the Fortinet PSIRT advisory FG-IR-26-101 at https://fortiguard.fortinet.com/psirt/FG-IR-26-101.
Details
- CWE(s)