1. Ports
  2. Port 541

Port 541: uucp-rlogin — The management port that became an attack vector

Port 541 has two lives. Its official IANA assignment is uucp-rlogin, a protocol from the 1980s that combined Unix-to-Unix Copy (UUCP) with remote login (rlogin) functionality. That protocol is essentially extinct. The port's second life is far more consequential: Fortinet uses it for the FortiGate-to-FortiManager (FGFM) protocol, the management channel that lets FortiManager centrally control FortiGate firewalls.1

The problem: thousands of organizations accidentally exposed port 541 to the public Internet, turning a management channel into an attack vector.

What Runs on Port 541

Originally: uucp-rlogin—a combination of two Unix protocols from the 1970s and 1980s. UUCP (Unix-to-Unix Copy) was created by Mike Lesk at AT&T Bell Laboratories in 1979 for transferring files and executing commands between Unix systems.2 The Berkeley r-commands, including rlogin (remote login), were developed in 1982 by the Computer Systems Research Group at UC Berkeley.3 The uucp-rlogin protocol combined these technologies, but like most of the r-commands, it fell out of use due to security concerns—passwords and data transmitted in plaintext.

Today: The FortiGate-to-FortiManager Protocol (FGFM). Fortinet repurposed port 541 for communication between FortiGate firewall appliances and FortiManager central management consoles. When you manage hundreds of FortiGate devices from a single dashboard, port 541 is how they talk.4

How the Protocol Works

The FGFM protocol allows FortiManager to:

  • Push configuration changes to FortiGate devices
  • Collect logs and monitoring data
  • Execute management commands remotely
  • Update firmware and policies

This is powerful functionality. It's also why port 541 should never be accessible from the public Internet—it's a management interface, not a public service.

The Security Problem

Port 541 became a significant attack vector because of a simple mistake: administrators configured network ACLs (Access Control Lists) to restrict external access but only blocked everything except TCP port 541.5 They thought they were securing their FortiManager devices. Instead, they left the most sensitive port wide open.

Known vulnerabilities:

  • CVE-2014-8617 (FortiOS 4.3.15 and lower, 5.0.0-5.0.7): A specially crafted request to the FortiManager protocol service could create a denial of service condition.6
  • Unauthorized access: When exposed publicly, attackers used port 541 to deploy backdoors and maintain persistent access to compromised FortiManager devices.5
  • Espionage operations: Google's Threat Intelligence team documented suspected Chinese actors using custom malware that exploited FortiGate devices, with port 541 as an entry point.7

Mitigation:

  • Disable FGFM access on external-facing interfaces
  • Block TCP port 541 with local-in policies
  • Never expose port 541 to the public Internet—it should only be accessible from trusted internal networks
  • Keep FortiOS updated with security patches

The Unix Legacy

The original uucp-rlogin protocol represents a specific moment in Internet history. In the 1970s and 1980s, before the Internet was ubiquitous, computers connected via dial-up modems and UUCP. By 1978, 82 Unix machines inside Bell Labs used UUCP. By 1983, that number grew to 550 machines across the United States.8

Rlogin emerged when TCP/IP networking was brand new. Bill Joy at Berkeley quickly built rlogin and rcp (remote copy) when the BSD kernel first got working network code.3 These protocols assumed trusted networks. They assumed you knew everyone on the other end of the connection. They were designed for collaboration, not security.

That assumption broke when networks opened to the world. The r-commands—rlogin, rcp, rsh—became security liabilities. SSH replaced them in the 1990s. The uucp-rlogin protocol quietly disappeared.

Why This Port Matters

Port 541 shows how port numbers outlive their original purposes. IANA assigned 541 to uucp-rlogin decades ago. That protocol is dead. But the port number lives on, repurposed by vendors who needed a number and grabbed an abandoned one.

This creates confusion. Security scanners report "uucp-rlogin detected" when they see port 541, but what they're actually seeing is FortiGate management traffic. The name doesn't match the reality.

More importantly: port 541 demonstrates the consequence of exposing management interfaces. Every protocol that lets you remotely control a system—whether it's from 1982 or 2024—becomes a target when accessible from the wrong network.

Checking Port 541

To see if something is listening on port 541:

# Linux/macOS
sudo lsof -i :541
sudo netstat -tulpn | grep :541

# Check if a remote host has port 541 open
nmap -p 541 target-ip

# Windows
netstat -ano | findstr :541

If you find port 541 open on a FortiGate or FortiManager device, verify it's only accessible from trusted management networks. If it's exposed to the Internet, you have a problem.

Related Ports

  • Port 540 — uucp (Unix-to-Unix Copy), the predecessor protocol
  • Port 514 — syslog, another management protocol that should never face the Internet
  • Port 22 — SSH, the secure replacement for rlogin and the other r-commands
  • Port 23 — Telnet, another insecure remote login protocol from the same era

Frequently Asked Questions About Port 541

پێشوو

Port 540: UUCP — The protocol that connected Unix before TCP/IP

دواتر

Port 542: Commerce — The business port nobody uses

ئایا ئەم پەڕەیە بەسوود بوو؟

😔
🤨
😃