Admin/Fortinet: When Your Firewall's Front Door Is Wide Open

FortiGate firewalls ship with a well-documented default: username "admin", password empty — or in many deployments, the equally predictable "fortinet". This is not a secret. It is printed in every setup guide, every knowledge base article, and every attacker playbook.

Despite this, thousands of organizations run internet-facing FortiGate appliances with these exact credentials. Shodan queries consistently reveal FortiGate management interfaces exposed on port 443 or 8443 with no credential changes applied. For an attacker, this is not a vulnerability to exploit — it is an open invitation.

The root causes are systemic, not technical. Firewalls are often deployed by integrators or MSPs under time pressure. The initial setup works, the project closes, and the "change default credentials" step never happens. In other cases, test environments go live without hardening, or mergers and acquisitions introduce unaudited network equipment.

There is also a false sense of security: teams assume that because a firewall exists, the network is protected. But a firewall with default credentials is worse than no firewall at all — it provides a false perimeter while granting administrative access to anyone who tries the obvious.

Administrative access to a FortiGate is not just a configuration risk — it is full network compromise. An attacker who logs in with default credentials can extract the entire firewall configuration using the "show full-configuration" command. This includes VPN settings, firewall rules, routing tables, and — critically — encrypted credentials for LDAP, Active Directory, and RADIUS integrations.

FortiOS stores these credentials using reversible encryption. Attackers with the configuration file can decrypt service account passwords offline, then use those credentials to move laterally into Active Directory, email systems, and file servers. The firewall becomes the entry point for a full domain compromise.

This attack pattern has been observed repeatedly in 2025 and 2026. Threat actors combine default credential scanning with exploitation of FortiOS vulnerabilities like CVE-2025-59718 (CVSS 9.8, authentication bypass via SAML) to maximize their access across thousands of targets simultaneously.

Fortinet is one of the most deployed firewall vendors globally, with a particularly strong presence in the European mid-market. FortiGate appliances protect banks, hospitals, municipalities, and manufacturing companies across DACH.

The combination of widespread deployment, predictable defaults, and internet-exposed management interfaces creates a target-rich environment. Automated scanning tools can identify and attempt login on thousands of FortiGate instances in minutes. For NIS2-regulated organizations, a firewall with default credentials is not just a technical gap — it is a compliance violation that can trigger management liability.

Start with external visibility. An attack surface scan reveals whether your FortiGate management interfaces are exposed to the internet and what services are reachable. This is the attacker's first step — it should be yours too.

Then audit credentials systematically: change all default passwords, enforce MFA for administrative access, restrict management interfaces to internal networks or VPN-only access, and disable unused services. Review the configuration for stored credentials (LDAP bind accounts, RADIUS secrets) and rotate them.

Finally, monitor continuously. Default credentials are not a one-time problem. Every firmware update, every new appliance, every configuration restore can reintroduce defaults. Automated external monitoring catches these regressions before an attacker does.