CVE-2022-26119 - Exploiting Fortinet FortiSIEM’s Hardcoded Glassfish Password for Unauthorized Access

Fortinet, a well-known security vendor, offers FortiSIEM – a product for Security Information and Event Management (SIEM) used by thousands of organizations to monitor and respond to threats. But like many complex software solutions, it has had its fair share of critical vulnerabilities. In this post, we’ll take a deep dive into CVE-2022-26119, a dangerous flaw stemming from *improper authentication* in Fortinet FortiSIEM. If you ever wondered how a hardcoded password can put your infrastructure at risk, keep on reading.

TL;DR

Issue: Anyone with Command Line Interface (CLI) access to a vulnerable FortiSIEM server (before version 6.5.) can connect to the built-in Glassfish Java application server and execute privileged commands using a hardcoded password.

Impact: Attackers can change configurations, collect sensitive data, or even execute remote code, leading to a full system compromise.

CVSS Score: 6. (Medium), due to requiring local CLI access, but the impact is significant.

Vulnerability Overview

This vulnerability, tracked as CVE-2022-26119, affects *Fortinet FortiSIEM appliances and software versions prior to 6.5.*. The issue arises from FortiSIEM shipping with a hardcoded administrative password for the Glassfish management interface (an enterprise Java EE app server under the hood of FortiSIEM).

With CLI access, an attacker can discover and use these credentials to “become admin” over the Glassfish server, bypassing all proper authentication processes. This effectively grants unauthorized access to sensitive operations.

Attacker gets CLI Access:

This could be via legitimate credentials, social engineering, or exploiting some other vulnerability.

Attacker finds the Hardcoded Password:

The hardcoded password is usually stored in a configuration file (domain.xml or passwordfile), or is known from previous disclosures.

Performs Privileged Actions:

Once in, the attacker can deploy new applications, run arbitrary code as the Glassfish user, retrieve configuration files, or even dump sensitive SIEM data.

Code Example: Connecting with the Hardcoded Password

You can use the asadmin CLI tool or curl to connect, depending on what’s installed.

Assume the hardcoded username is admin and the password is changeit (a common placeholder)

Using curl:  

curl -u admin:changeit http://127...1:4848/management/domain/list-applications

Or using asadmin tool:

/opt/glassfish4/bin/asadmin --user admin --passwordfile /opt/glassfish4/glassfish/domains/domain1/config/passwordfile list-applications

*(If that path is different in FortiSIEM, just search for passwordfile inside the glassfish directory.)*

References

- NVD CVE-2022-26119 Details
- Glassfish Official Admin Guide
- Fortinet FortiSIEM Release Notes (6.5.)

Exploit Details & Real-World Risk

Let’s say you have SSH’d into a vulnerable FortiSIEM as a user with CLI access. Find the passwordfile:

cat /opt/glassfish4/glassfish/domains/domain1/config/passwordfile
# Might show
AS_ADMIN_PASSWORD=changeit

You can now run

asadmin --user admin --passwordfile /opt/glassfish4/glassfish/domains/domain1/config/passwordfile list-applications

And voilà – full admin access!

What can you do here?

Silently manipulate SIEM monitoring, hiding attacker activity

Note: This attack requires local CLI access but is devastating because it bypasses internal authentication and leaves no trace in SIEM application logs – everything looks like management traffic.

Remove or change hardcoded passwords after installation

- Restrict CLI/server access to authorized personnel only

Closing Thoughts

CVE-2022-26119 is a perfect example of why hardcoded credentials are so dangerous, especially in critical infrastructure tools like SIEMs. While requiring local machine access, the consequences are severe – giving attackers the keys to your log kingdom.

Patch now, and check for any generic hardcoded secrets in your network appliances. Don’t rely on “security through obscurity”: someone will always take a peek inside.

If you’re looking for more technical breakdowns and exploit tutorials, stay tuned!

*Disclaimer: This write-up is for educational purposes only. Never exploit any system without permission.*

Timeline

Published on: 11/02/2022 12:15:00 UTC
Last modified on: 11/03/2022 13:49:00 UTC