FortiGate Honeypot — What Attackers Do When They Find a FortiOS Admin Surface
Our FortiGate honeypot impersonates a FortiOS 7.4.x admin surface (login page, SSL VPN portal, REST API, firmware update endpoints). It runs on sensor1 (LAN, DNAT-ed through the lab firewall) and sensor2 (PROD, public). In the last 7 days we logged a small but high-quality 36 application-layer hits on sensor1 plus a similar volume on sensor2 — every single one was probing for a known FortiOS CVE path, a banner-grab, or a Censys-class scanner. The FortiGate surface is the cleanest signal-to-noise ratio in the fleet: nobody hits port 10443 by accident.
The decoy — what the attacker sees
TLS on port 10443 (the FortiOS default admin port), self-signed cert
with CN=FGT60F, a FortiOS-style login page, and the
canonical REST API surface (/api/v2/*). The honeypot
returns the right error pages for unknown paths and the right
login challenge shape for /login so even FortiOS-aware
clients see a coherent profile.
The Server: header that the front aiohttp returns was
changed on 2026-05-28 from a generic nginx string to
xxxxxxxx-xxxxx — matching what a real FortiOS
instance actually emits (an opaque blob, not a product banner). The
old behaviour was leaking the honeypot at the first response header,
which we discovered during a fleet-wide banner audit and fixed
immediately. After that change, the path-class breakdown of who hits
us still looks the same — CVE checkers don’t bother
reading the Server header, and Shodan/Censys catalogue both flavours
equally — so the fix is more of a hygiene win than a traffic
change.
Top paths probed (last 7 days, sensor1)
| Path | Class | What it’s checking | Hits |
|---|---|---|---|
/ |
banner-grab | Just the login page — scanner cataloguing | 22 |
/lang/legacy/filechecksum |
CVE-2024-21762 | FortiOS SSL-VPN heap overflow precondition probe | 4 |
/migadmin/lang/legacy/legacy/filechecksum |
CVE-2024-21762 | Same vuln, alternate path via migadmin | 4 |
/login?redir=/ng |
login-enum | FortiOS Angular admin login redirect | 4 |
/login |
login-enum | Plain login page fetch | 4 |
/cvecheck-pchnks |
cve-checker | Generic vulnerability scanner tagging | 4 |
/api/v2/static/not.found |
cve-checker | FortiOS REST-API negative-probe (CVE-checker classifier) | 4 |
/favicon.ico |
banner-grab | Cataloguing scanners pull the favicon hash | 4 |
/static/lang/custom/sbin/init |
path-traversal | Trying to reach /sbin/init via FortiOS static-asset path |
2 |
/remote/logincheck |
SSL-VPN | FortiOS SSL VPN login endpoint — classic credential surface | 2 |
/php/login.php |
cross-vector | PAN-OS captive-portal path — same actor probing both | 2 |
What this tells us
/lang/legacy/filechecksum +
/migadmin/lang/legacy/legacy/filechecksum pair that
the public PoC and most automated checkers query in sequence.
That vulnerability was patched in February 2024 and remains
the FortiOS bug everyone scans for, more than a year
after the patch shipped.
We send back HTTP 404 on both paths, which is what an unaffected/patched FortiOS instance would return. Attackers looking for the “legitimate-looking 200 with the right file-checksum response shape” that indicates a vulnerable version move on — which is the point.
/static/lang//custom/sbin/init — the static-asset path-traversal class
/lang/[...]custom/sbin/init — this is the
CVE-2022-42475 family pattern, where the FortiOS
sslvpnd static-asset handler can be coerced into
serving arbitrary file paths via a doubled-slash path-segment
normalisation bug. Our honeypot returns the FortiOS-style 404
template; a vulnerable real device would serve the requested
binary.
The double-slash variant (
/static/lang//custom/sbin/init)
is the more recent kit shape. Two distinct UAs (Windows Chrome
107, Macintosh Chrome 136) were used — UA rotation across
the same payload, classic kit signature.
/php/login.php on the FortiGate honeypot — PAN-OS captive portal cross-vector
/php/login.php — the canonical
PAN-OS captive portal path (CVE-2026-0300 territory). They’re
hitting the FortiOS surface with a PAN-OS path because the
kit operator’s wordlist is “everything I know,
against everything that responds.”
This is the same pattern we documented in the CVE-2026-0300 hunt writeup — polyglot vulnerability sweeps from operators who treat each target as a checkbox rather than a focused campaign.
CensysInspect/1.1),
Infrawatch (Infrawatch/1.0), occasional Shodan-Pull.
They pull the login page and the favicon, sometimes the
/robots.txt, then leave. We treat them as background
noise — they index us into their public banner-search
results, which is what attracts the next round of actual
attackers.
Once the FortiOS honeypot is in Shodan’s database, the CVE-checker traffic starts arriving within hours.
A representative day of traffic
2026-05-30 morning, sensor1:
Two source IPs, two different stories. 64.62.156.152
is a CVE-2024-21762 checker working through a target list —
it hits both the legacy and migadmin paths in 16 seconds, then
moves on. 66.132.195.37 is in the Oracle Cloud
66.132.0.0/16 range that we’ve been tracking
across multiple HoneyLens hunts (K8s, PAN-OS, NGINX Rift) —
here they’re catalogue-scanning under the Censys UA but the
source IP itself is on our active actor-cluster list.
What this means for FortiGate operators
- CVE-2024-21762 is the default first-probe against
any newly-exposed FortiOS admin surface. If you put a
FortiGate on the internet, expect the
/lang/legacy/filechecksum+/migadmin/lang/legacy/legacy/filechecksumpair within hours. - The
Server:header gives the game away. Real FortiOS emits an opaque blob (xxxxxxxx-xxxxx); anything else (especiallynginx/Apache) tells an attacker they’re looking at a reverse-proxy or a honeypot. Match the real device exactly or don’t emit a Server header at all. - Path-traversal probes are nuanced. The doubled-slash
/lang//custom/...variant is the active kit shape; the single-slash variant is the older PoC. Logging both gives you a kit-version signal. - Cross-vector polyglot sweeps are the norm. PAN-OS paths on FortiGate, FortiGate paths on Cisco, K8s paths on PAN-OS — modern kits don’t care which vendor they’re hitting. If you ingest honeypot logs, the cross-product (same source IP, different vendor surfaces) is where actor-cluster signals live.