cbcvebase.
CVE-2016-1909
published 2016-01-15

CVE-2016-1909: Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0.8; and FortiOS 4.1.x before 4.1.11…

PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.27%
99.3th percentile
Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0.8; and FortiOS 4.1.x before 4.1.11, 4.2.x before 4.2.16, 4.3.x before 4.3.17 and 5.0.x before 5.0.8 have a hardcoded passphrase for the Fortimanager_Access account, which allows remote attackers to obtain administrative access via an SSH session.

Affected

10 ranges
VendorProductVersion rangeFixed in
fortinetfortios<= 4.3.16
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios

Detection & IOCsextracted from sources · hover to see the quote

otherFortimanager_Access
otherFGTAbc11*xy+Qqz27
otherAK1 + base64(\x00*12 + sha1_digest)
bytes
\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70
  • Detect SSH authentication attempts using the hardcoded backdoor username 'Fortimanager_Access' on Fortinet devices; any login attempt with this username should be treated as malicious.
  • The exploit uses SSH keyboard-interactive authentication (auth_interactive) after an initial password auth attempt; monitor for this two-step SSH auth sequence targeting 'Fortimanager_Access'.
  • The challenge-response password is computed as 'AK1' + base64(\x00*12 + SHA1(\x00*12 + challenge + 'FGTAbc11*xy+Qqz27' + static_bytes)); network signatures can match the 'AK1' prefix in SSH keyboard-interactive responses.
  • A Metasploit auxiliary scanner module exists for mass-scanning this backdoor; watch for automated SSH scanning activity against Fortinet devices on port 22.
  • Affected platforms include FortiGate 4.x; prioritize detection on FortiOS 4.1.x, 4.2.x, 4.3.x, 5.0.x, FortiAnalyzer before 5.0.12/5.2.5, FortiSwitch 3.3.x, and FortiCache 3.0.x.
  • ·The backdoor account 'Fortimanager_Access' is hardcoded in firmware; patching to fixed versions is required to remove it — detection alone is insufficient for remediation.
  • ·The challenge-response mechanism uses a static salt string ('FGTAbc11*xy+Qqz27') and a static byte sequence appended to the SHA1 hash, meaning the password is deterministically computable from any SSH challenge — blocking the username is the only reliable network-level control.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.