According to Ralf-Philipp Weinmann, a security researcher who contributed in unraveling the innerworkings of the Juniper vulnerability, took to Twitter on Tuesday and has been continuously referring to the custom SSH authentication as a "backdoor." In one of his posts, he confirmed that he was able to make the backdoor work as reported for older versions of FortiOS.
According to the exploited code, the undisclosed authentication worked from versions 4.3, up to 5.0.7. If the days stand undisputed, the surreptitious access method would active in FortiOS versions as well in the current 2013 and 2014 time frame and possibly earlier. The vulnerability was eventually patched, but still, researchers are unable to locate a security advisory that could disclose the alternative authentication method or the hard-coded password. While one researcher started that the exploit no longer works in version 5.2.3, the release is still suspicious as it contained the same hard-coded string.
"So a lot of parts of this auth mechanism are still in the later firmware," said the researcher, who requested to be anonymous. The most recent version of FortiOS 5.4.0, was released this month.