CVE-2016-1909

CRITICAL

Fortinet <5.0.12 - Hardcoded Passphrase

Title source: llm

Description

Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0.8; and FortiOS 4.1.x before 4.1.11, 4.2.x before 4.2.16, 4.3.x before 4.3.17 and 5.0.x before 5.0.8 have a hardcoded passphrase for the Fortimanager_Access account, which allows remote attackers to obtain administrative access via an SSH session.

Exploits (2)

exploitdb WORKING POC

by operator8203 · pythonremotelinux

https://www.exploit-db.com/exploits/43386

View Code ZIP pw:eip

metasploit SCANNER

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb

View Code ZIP pw:eip

References (7)

[Various Sources] http://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios

[Exploit] http://packetstormsecurity.com/files/135225/FortiGate-OS-5.0.7-SSH-Backdoor.html

[Exploit] http://seclists.org/fulldisclosure/2016/Jan/26

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1034663

[Various Sources] https://twitter.com/esizkur/status/686842135501508608

[Exploit] https://www.exploit-db.com/exploits/39224/

[Vendor Advisory] http://www.fortiguard.com/advisory/multiple-products-ssh-undocumented-login-vulnerability

Scores

CVSS v3 9.8

EPSS 0.7856

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-264

Status published

Products (10)

fortinet/fortios 5.0

fortinet/fortios 5.0.0

fortinet/fortios 5.0.1

fortinet/fortios 5.0.2

fortinet/fortios 5.0.3

fortinet/fortios 5.0.4

fortinet/fortios 5.0.5

fortinet/fortios 5.0.6

fortinet/fortios 5.0.7

fortinet/fortios < 4.3.16

Published Jan 15, 2016

Tracked Since Feb 18, 2026