lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Fortinet FortiOS

Fortinetnetwork7 credentials4 default credentials

Credentials7 documented
01

Factory Default Admin Login

fortinet-fortios / factory-default-admin

Out of the box, FortiGate/FortiOS ships with a single administrator account named "admin" and no password set. On FortiOS 6.2.1+ the login flow forces a password change on first sign-in; older builds allowed direct login and left the account passwordless until an operator set one.

static defaultsecretusername/password

Default credentials

admin:(empty)

Location

public interface

HTTPS/SSH management on the default management interface (192.168.1.99/24 on most FortiGate models, 10.10.10.1/24 on some legacy units)

Notes

The "no password" default matters because operators still periodically expose freshly-imaged or RMA'd units to a network before the first-login prompt fires — including HA replacement units, which per Fortinet documentation are sometimes intentionally left blank so the primary can push configuration. On builds before 6.2.1 there is no forced change: an internet-reachable management interface plus a passwordless admin equals full device compromise.

02

maintainer Recovery Account

fortinet-fortios / maintainer-recovery-account

"maintainer" is a Fortinet-documented recovery account for resetting a lost admin password. Access requires physical console access plus a reboot: during a short window after boot, logging in as "maintainer" with a password of "bcpb" followed by the device's serial number resets the admin password.

static defaultsecretusername/password

Default credentials

maintainer:bcpb <serial-number>

Location

public interface

serial console only, during a ~30-60 second window after boot (60 s in newer BIOS revisions)

Notes

The password format is documented by Fortinet as bcpb<serial-number> — the serial appears on the device chassis. The account cannot be renamed, and its only capability is resetting super_admin passwords. Fortinet lets operators disable it via `config system global; set admin-maintainer disable; end`; if "PASSWORD RECOVERY FUNCTIONALITY IS DISABLED" appears at the console banner, it's off. Frequently left on in the field because support teams rely on it. Physical/console access is required, so it isn't remote in the usual sense — but a colo-managed appliance with unrestricted serial console access is effectively remote for whoever runs the colo.

03

SSL VPN User Credentials

fortinet-fortios / sslvpn-user-credentials

Local or LDAP-backed usernames and passwords used to authenticate SSL VPN sessions against the FortiGate. User-defined, but included here because their storage locations are LOLCreds-relevant: they live inside FortiOS config and — historically — in the plaintext sslvpn_websession file for currently connected users.

user definedsecretusername/password

Location

config file

local users defined under `config user local` in the FortiOS configuration; passwords are hashed at rest but present in plaintext during any `execute backup config` before the encryption key was fixed (see config-backup-hardcoded-key below)

source code

hardcoded into FortiClient VPN profile XML, MSI installers, and MDM-pushed VPN configuration bundles

Notes

Two operational realities matter here. First, VPN credentials get embedded in client-side deployment artifacts (MSI wrappers, per-user config XML) that end up in software repositories, shared drives, and image golden masters — normal-looking config files that carry live creds. Second, before FortiOS 7.4.x, admin password hashes in config backups were stored using unsalted SHA-256, making them cheap to crack offline once a backup leaked; Fortinet migrated the format to PBKDF2 in 7.2.11, 7.4.8, and 7.6.1.

04

Fortimanager_Access SSH Backdoor

fortinet-fortios / fortimanager-access-ssh

Undocumented management account "Fortimanager_Access" present in certain FortiOS, FortiSwitch, and FortiAnalyzer builds, reachable over SSH. Authenticated via a fixed challenge-response derived from a hardcoded string rather than a stored password, effectively granting remote root-equivalent CLI access.

undocumentedstatic defaultsecretusername/password

Default credentials

Fortimanager_Access:(empty)

Location

public interface

SSH management interface (any interface with mgmt access enabled)

Notes

Not a shipped password in the ordinary sense — the account uses a custom challenge-response with a hardcoded value. Patched by removing the account entirely; no "change the password" mitigation exists. Fixed builds: FortiOS 5.0.8+, 5.2.x, 5.4.x, with corresponding FortiSwitch and FortiAnalyzer releases.

05

SSL VPN "Magic" Password Bypass

fortinet-fortios / sslvpn-magic-password

Undocumented "magic" string in the FortiOS SSL VPN portal that, when supplied as the value of a specific POST parameter to /remote/logincheck, bypassed normal authentication and let an attacker log in as any user. Fortinet's own advisory language describes it as a "magic value" left in the codebase from a customer-driven password-expiry feature.

undocumentedsecretpassword

Default credentials

(empty):(empty)

Location

public interface
/remote/logincheck

POST request against the SSL VPN web portal (default port 10443)

Notes

Fortinet describes this as an "errant code string" originally created for a password-change flow. The bypass is triggered by supplying the magic value as the "magic" parameter — no username or password verification occurs. Removed from the code base in the fixed FortiOS builds; no operator-side mitigation exists short of upgrading or disabling the SSL VPN entirely.

06

SSL VPN Websession File (plaintext session credentials)

fortinet-fortios / sslvpn-websession-plaintext

/dev/cmdb/sslvpn_websession is an internal FortiOS file storing currently connected SSL VPN users' usernames and passwords in plaintext. Not a shipped credential per se, but a documented storage location that a well-known unauthenticated path traversal (CVE-2018-13379) made remotely readable.

generated on installsecretsecret value

Looks like

pattern
pattern

username:plaintext-password pairs written into the session file for every active SSL VPN login; format is internal to FortiOS

[A-Za-z0-9._\-]+:[^\r\n]+

Location

config file
/dev/cmdb/sslvpn_websession

internal FortiOS session file, on-device

http response

exposed via GET /remote/fgt_lang?lang=<traversal> on FortiOS 5.4.6–5.4.12, 5.6.3–5.6.7, 6.0.0–6.0.4 (CVE-2018-13379)

Notes

The file itself has existed across FortiOS versions as a normal internal artifact. The credential-leak significance comes from the pre-auth path traversal that made it readable over the internet — mass-exploited from 2019 onward, and a foothold in numerous ransomware and APT campaigns. Any device that was internet-facing and unpatched during the exposure window should be assumed to have leaked its active session credentials, and those credentials rotated even after patching.

07

Configuration Backup Hardcoded Encryption Key

fortinet-fortios / config-backup-hardcoded-key

Fortinet FortiOS encrypts fields inside configuration backup files using a hardcoded cryptographic key baked into the firmware. An attacker who obtains a backup file can decrypt users' passwords (except the admin's), private-key passphrases, and the HA password using knowledge of the key.

undocumentedstatic defaultsecretcertificate

Default credentials

(empty):(empty)

Location

config file

FortiOS configuration backup files (.conf) exported via "Backup" in the GUI or `execute backup config` in the CLI

build artifact

config backups routinely stored in git repos, ticket systems, shared drives, and MSP backup vaults

Notes

Not exploitable remotely on its own — the attacker needs the backup file. Backups are commonly emailed, checked into SCM, or sent to MSPs, so exposure is high in practice. CISA added this to the Known Exploited Vulnerabilities catalog in June 2025, with confirmed active exploitation. Mitigation is upgrading to a fixed FortiOS build; existing backups taken before the upgrade should be treated as sensitive going forward. Note that the administrator's own password is stored differently and is NOT decrypted by this key.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.