FortiGate Admin-Hijack Operator Plants Hidden Backdoors and Steals Full Device Configuration

A skilled operator exploited a FortiGate firewall using CVE-2022-40684 — a two-year-old authentication bypass that remains one of the most exploited edge-device vulnerabilities — to inject multiple backdoor administrator accounts, plant an SSH key for passwordless re-entry, hide the compromised account from the management interface, disable two-factor authentication, and download the complete device configuration including LDAP credentials and VPN user secrets.

The operator’s playbook shows pen-test-level sophistication: they tested a separate, newer exploit chain first (CVE-2024-21762), pivoted when it didn’t work, then ran a systematic persistence hardening sequence designed to survive administrative review. The SSH key they planted — signed with the handle “z0r0” — has not been seen in any public threat-intelligence feed.

State of the Attack tracks threats that commodity feeds miss. Atomic indicators are held in a vetted-distribution brief; request access at the bottom.

What happened

In late May 2026, an operator compromised a FortiGate firewall by exploiting CVE-2022-40684, a critical authentication bypass in the FortiOS REST API. The vulnerability allows an unauthenticated attacker to perform administrative actions by including Forwarded: for=127.0.0.1 in their HTTP request headers — FortiOS trusts this as a signal that the request originated from the device itself.

The entire operation — from first reconnaissance to configuration theft — took 76 minutes. The operator used two separate IP addresses hosted at different European providers, switching from a reconnaissance tool to a stripped-down exploit module partway through the session.

Why this matters: The stolen configuration file contains everything an attacker needs for lateral movement into the corporate network: LDAP bind credentials (for authenticating to Active Directory), VPN user passwords, SNMP community strings, internal network topology, and firewall rule definitions. The hidden admin account and planted SSH key give the attacker persistent re-entry that survives password rotations and most incident-response playbooks that don’t specifically audit FortiOS hidden-admin flags.

Key terms

• FortiGate — a firewall and VPN appliance made by Fortinet, widely deployed at network perimeters. Administrators manage it through a web interface and REST API.
• CVE-2022-40684 — a critical authentication bypass (CVSS 9.8) patched in October 2022. Attackers send Forwarded: for=127.0.0.1 in their HTTP headers, which FortiOS interprets as a local request, bypassing all authentication. Despite being two years old, it remains actively exploited.
• CVE-2024-21762 — a separate FortiOS vulnerability (out-of-bounds write in the SSL-VPN component) that this operator also attempted. Exploited via specially crafted chunked HTTP requests.
• Hidden admin — FortiOS has a hidden flag on admin accounts. When set, the account does not appear in the web management interface or standard CLI show commands. An attacker who sets this flag can maintain access that is invisible to most administrators.
• JA4 — a fingerprint computed from how a client negotiates a TLS connection. Different tools produce different JA4 fingerprints, allowing defenders to track an actor’s tooling across sessions.

The attack, step by step

Step 1. Reconnaissance (Minute 0)

The operator began by visiting the device’s admin login page repeatedly with a user-agent string identifying themselves as “Research/1.0” — likely testing whether the device was online and responsive. They then switched to a Python-based tool (python-requests/2.34.2) and checked the firmware version endpoint to confirm the device was running a vulnerable FortiOS version.

Step 2. CVE-2024-21762 attempt (Minute 22)

Before trying the older bypass, the operator first tested CVE-2024-21762 — the SSL-VPN heap-spray vulnerability. They sent a POST request to the VPN login page containing 2,000 bytes of padding (the letter ‘A’ repeated). This is a standard technique for probing whether the SSL-VPN component is vulnerable to the out-of-bounds write. The device responded normally, indicating the exploit did not trigger as expected.

This is noteworthy: the operator carried exploit code for at least two different FortiGate vulnerability chains and chose between them based on the device’s response. This is not scanner behavior — it demonstrates hands-on familiarity with multiple exploit chains.

Step 3. CVE-2022-40684 exploitation (Minute 62)

Forty minutes later — a gap that suggests the operator was evaluating other targets — they returned with their exploit tool. The tool had a different TLS fingerprint and no user-agent string, indicating a purpose-built exploit module separate from the reconnaissance tool.

The operator first confirmed the admin API was accessible with a GET request to the admin endpoint, then injected their first backdoor account:

POST /api/v2/cmdb/system/admin
Forwarded: for=127.0.0.1
{"name": "fortipwn_test", "password": "[REDACTED]",
 "accprofile": "super_admin"}

The Forwarded: for=127.0.0.1 header is the CVE-2022-40684 bypass. The device processed this as a local administrative request and created the account.

Step 4. Persistence hardening (Minute 68)

Over the next nine seconds, the operator sent six rapid-fire requests to modify the existing admin account. Each request changed a single attribute:

1. Planted an SSH public key — enabling passwordless login via SSH
2. Set trusthost to 0.0.0.0/0 — allowing admin access from any IP
3. Confirmed super_admin privilege — ensuring full access
4. Set hidden: 1 — making the admin account invisible in the GUI
5. Disabled two-factor authentication — removing the MFA requirement

They then sent a single combined request containing all these changes plus a new password, consolidating the persistence in one atomic operation.

The hidden: 1 flag is the most sophisticated element. Most incident-response playbooks for FortiGate compromises check for new admin accounts — they do not check whether existing accounts have been modified with the hidden flag. An administrator reviewing the device through the web interface would not see that the admin account now has an attacker-controlled SSH key.

Step 5. Redundant backdoors (Minute 69)

The operator created four additional admin accounts (fw1, fw2, fw3, fw_api) with super_admin privileges — a belt-and-suspenders approach ensuring access survives even if some accounts are discovered and deleted. They also tested form-encoded vs JSON content types, suggesting they were validating their tool against different FortiOS API behaviors.

Step 6. Configuration theft (Minute 71–76)

The operator created one final account (“fortipwn_admin”) with what appeared to be their primary operational password, then accessed the SSL-VPN portal and downloaded the complete device configuration:

GET /api/v2/monitor/system/config/backup?scope=global
Cookie: SVPNCOOKIE=[session token]

They downloaded the configuration twice from the first IP address, then a third time from a second IP address 14 minutes later — likely to confirm the backup was consistent or to have a copy on separate infrastructure.

The configuration file includes LDAP bind credentials (used to authenticate to Active Directory), VPN user passwords, internal network addressing, firewall policies, and SNMP community strings. With this information, the attacker can attempt lateral movement into the internal network without touching the firewall again.

What defenders should look for

On FortiGate devices

1. Hidden admin accounts. Run show system admin from the CLI — accounts with set hidden enable do not appear in the web GUI. Any hidden admin account that your organization did not create is a compromise indicator.

2. Unexpected SSH keys. Check show system admin for ssh-public-key1 entries. Legitimate administrators rarely configure SSH key authentication on FortiGate devices. The fingerprint of the key used in this campaign is available in the vetted-distribution brief — it is likely reused across targets and can be matched during incident response using ssh-keygen -lf /path/to/extracted/key.pub.

3. Config backup access logs. Review FortiOS event logs for config backup download events from unexpected sources.

4. Admin account modifications. Audit changes to trusthost, accprofile, two-factor, and hidden fields on existing admin accounts — not just new account creation.

On the network

5. CVE-2022-40684 signature. Any HTTP request to the FortiGate management API containing Forwarded: for=127.0.0.1 or X-Forwarded-For: 127.0.0.1 is an exploitation attempt. No legitimate client sends loopback addresses in these headers.

6. Post-compromise credential use. If LDAP bind credentials or VPN user passwords from the FortiGate configuration appear in authentication logs for other systems, the configuration was stolen.

7. Account naming patterns. The operator used the prefix “fortipwn_” for their accounts. While specific to this actor, any admin account with pen-test-style naming (containing “pwn”, “hack”, “test”, “backdoor”) on a production device warrants investigation.

Operator profile

This is not a mass scanner. The behavioral evidence points to a hands-on operator with specific tradecraft:

• Multi-chain capability: tested CVE-2024-21762 before pivoting to CVE-2022-40684, demonstrating familiarity with multiple exploit chains for the same product.
• Manual tempo: 40-minute gap between reconnaissance and exploitation, 30-90 second pauses between steps, iterative password testing. This is a human making decisions, not a script firing sequentially.
• Persistence depth: the hidden-admin flag and SSH key injection go beyond what commodity tools implement. Most automated CVE-2022-40684 exploits create an admin account and stop.
• Operational separation: used two IPs from different providers in different countries (Germany and Belgium), switching between recon and exploit tooling with different TLS fingerprints.
• Pen-test conventions: account naming (“fortipwn_”) and password patterns (“Test1234!”, “Pwn3d123!”) follow penetration-testing conventions, suggesting the operator learned their craft from or participates in that community. A public tool called “fortipwn” exists for this same CVE, but it only does SSH key injection — it cannot create accounts, hide admins, or download configurations. This operator wrote a significantly more capable custom tool while adopting the naming convention.
• Novel operator: The SSH key fingerprint and handle do not appear in any public threat-intelligence feed, breach database, or security research publication. This is either a new operator or one who has not been previously documented.

MITRE ATT&CK mapping

Technique	ID	What the operator did
Exploit Public-Facing Application	T1190	CVE-2022-40684 auth bypass on FortiGate management API
Valid Accounts: Default Accounts	T1078.001	Modified existing admin account for persistence
Account Manipulation: SSH Authorized Keys	T1098.004	Planted SSH key on admin account
Create Account: Local Account	T1136.001	Created 6 backdoor admin accounts
Hide Artifacts	T1564	Set hidden: 1 flag on admin account
Modify Authentication Process: MFA	T1556.006	Disabled two-factor authentication
Unsecured Credentials: Config Files	T1552.001	Downloaded full FortiOS configuration backup
Credentials from Password Stores	T1555	Config contains LDAP bind and VPN user credentials

Requesting indicators

Atomic indicators (IP addresses, JA4 fingerprints, SSH key material, account names and passwords) are available in a vetted-distribution brief. Contact us to request access.

State of the Attack publishes when there is something worth publishing — not on a schedule. Each report covers threats that are not yet cataloged in public feeds. If you operate FortiGate devices and want early access to future reports, reach out.