Authentication to the Fortinet management panel for various applications could be bypassed by meeting two conditions, the resolved client-ip is 127.0.0.1 and the user-agent is Report Runner

The first could be met by providing a crafted Forwarded header, the second is always under the control of the attacker anyhow. With that they could access administrative functionality, though they could not change the admin user’s password. Instead they were able to add an extra SSH key to the admin user and use the command line interface.