Fortinet Firewall “ssh” backdoor: Case study in Nepal

On 13th January, an unknown security researcher publicly disclosed the hardcoded “ssh” backdoor login credentials of Fortinet firewalls in the full-disclosure mailing list, leaving all of the FortiOS exploitable which are built in between November 2012 and July 2014. This login method is used to control Fortinet devices from a central system using FortiManager.
In a security advisory, Fortinet described that FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7 are vulnerable to this HIGH-risk issue.

A quick search for Fortinet devices connected to the internet in Nepal revealed that there are 9 devices accessible via the internet. These Fortinet firewalls are accessible via outside network which means these devices may be vulnerable to “management authentication issue”, as described by Fortinet after the disclosure of the vulnerability.

Fortinet OS exposed to Internet

Fortinet OS exposed to The Internet in Nepal

A python script is also released along with the full-disclosure mailing list, which upon successful exploitation gives administrative right command prompt. This twitter post shows that this python script is indeed working and many fortiOS are now open to be exploited.

Exploited FortOS as seen in Twitter post.

Exploited FortOS as seen in the Twitter post.


According to security advisory released by Fortinet says that this issue was solved back in July 2014. Which means FortiOS 4.3 can upgrade to 4.3.17 or later and FortiOS 5.0 can upgrade to FortiOS 5.0.8 or later.

If users are unable to update their products, Fortinet has suggested some workarounds in security advisory.

  • Disabling admin access via SSH on all interfaces, and using the Web GUI instead, or the console applet the GUI for CLI access.
  • In case SSH access is mandatory, in 5.0 admin can restrict access to SSH to a minimal set of authorized IP addresses, via the Local in Policies.

We highly recommend you to follow the solution or workarounds provided by Fortinet. Happy Securing Network.

If you need any Information Security consultancy, please contact us.

Leave a Reply

Your email address will not be published. Required fields are marked *