CVE-2016-1909

CRITICAL

Fortinet <5.0.12 - Hardcoded Passphrase

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-1909. PoCs published by operator8203, including Metasploit module auxiliary/scanner/ssh/fortinet_backdoor.

AI-analyzed exploit summary This exploit leverages a hardcoded SSH backdoor in FortiGate OS versions 4.x to 5.0.7, allowing unauthenticated access via a custom authentication handler that generates a valid password hash. It establishes an interactive shell session over SSH.

Description

Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0.8; and FortiOS 4.1.x before 4.1.11, 4.2.x before 4.2.16, 4.3.x before 4.3.17 and 5.0.x before 5.0.8 have a hardcoded passphrase for the Fortimanager_Access account, which allows remote attackers to obtain administrative access via an SSH session.

Exploits (2)

exploitdb WORKING POC

by operator8203 · pythonremotelinux

https://www.exploit-db.com/exploits/43386

View Code ZIP pw:eip

This exploit leverages a hardcoded SSH backdoor in FortiGate OS versions 4.x to 5.0.7, allowing unauthenticated access via a custom authentication handler that generates a valid password hash. It establishes an interactive shell session over SSH.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: FortiGate OS versions 4.x to 5.0.7

No auth needed

Prerequisites: Network access to the target device · SSH service exposed on the target

MITRE ATT&CK

T1078 - Valid Accounts T1021 - Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit SCANNER

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb

View Code ZIP pw:eip

This Metasploit module scans for the Fortinet SSH backdoor (CVE-2016-1909) by attempting to authenticate using the hardcoded 'Fortimanager_Access' username. It does not exploit the vulnerability but verifies its presence.

Classification

Scanner 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Fortinet FortiOS (versions affected by CVE-2016-1909)

No auth needed

Prerequisites: Network access to the target's SSH port (22)

MITRE ATT&CK

T1021.004 - SSH

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Core References

Various Sources x_refsource_confirm

http://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2016/Jan/26

Exploit x_refsource_misc

http://packetstormsecurity.com/files/135225/FortiGate-OS-5.0.7-SSH-Backdoor.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1034663

Various Sources x_refsource_misc

https://twitter.com/esizkur/status/686842135501508608

Exploit exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39224/

Vendor Advisory x_refsource_confirm

http://www.fortiguard.com/advisory/multiple-products-ssh-undocumented-login-vulnerability

Scores

CVSS v3 9.8

EPSS 0.7127

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-264

Status published

Products (10)

fortinet/fortios 5.0

fortinet/fortios 5.0.0

fortinet/fortios 5.0.1

fortinet/fortios 5.0.2

fortinet/fortios 5.0.3

fortinet/fortios 5.0.4

fortinet/fortios 5.0.5

fortinet/fortios 5.0.6

fortinet/fortios 5.0.7

fortinet/fortios < 4.3.16

Published Jan 15, 2016

Tracked Since Feb 18, 2026