:: Deepquest ::

Fortinet FortiSIEM has a hard-coded SSH public key for user “tunneluser” which is the same between all installs. An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor. The unencrypted key is also stored inside the FortiSIEM image. While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds. Versions 5.2.5 and 5.2.6 have been verified as vulnerable.