cbcvebase.
CVE-2018-13382
published 2019-06-04

CVE-2018-13382: An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to…

PriorityP190high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
81.69%
99.6th percentile
An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests

Affected

8 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortios
fortinetfortios>= 5.4.1 < 5.4.115.4.11
fortinetfortios>= 5.6.0 < 5.6.95.6.9
fortinetfortios>= 6.0.0 < 6.0.56.0.5
fortinetfortiproxy< 1.2.91.2.9
fortinetfortiproxy
fortinetfortiproxy

Detection & IOCsextracted from sources · hover to see the quote

url/remote/logincheck
othermagic=4tinet2095866
commandPOST /remote/logincheck ajax=1&username=<user>&magic=4tinet2095866&credential=<newpass>
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Improper Authorization Vulnerability (CVE-2018-13382)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remote/logincheck"; startswith; fast_pattern; endswith; http.request_body; content:"ajax=1"; content:"&username="; content:"&credential="; content:"&magic="; reference:cve,CVE-2018-13382; reference:url,github.com/milo2012/CVE-2018-13382/blob/master/CVE-2018-13382.py; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027885; rev:5; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, signature_severity Critical, tag CISA_KEV, updated_at 2024_04_13;)
  • Detect unauthenticated POST requests to /remote/logincheck containing the magic string '4tinet2095866' in the request body — this is the hardcoded 'magic' value used to bypass authentication and change SSL VPN user passwords.
  • Alert on HTTP POST to /remote/logincheck where the body contains all four fields: ajax=1, &username=, &credential=, and &magic= — this combination is the exact exploit pattern per the ET rule (sid:2027885).
  • Only locally-authenticated SSL VPN users are affected; accounts using remote authentication (LDAP or RADIUS) are not impacted — scope detection and triage accordingly.
  • Use the Google dork 'intitle:"Please Login" "Use FTM Push"' to identify exposed FortiOS SSL VPN portals that may be vulnerable targets.
  • A successful exploit response contains the string '/remote/hostcheck_install' in the HTTP response body — monitor for this in SSL-decrypted traffic as a confirmation of successful password change.
  • ·The ET Snort rule (sid:2027885) requires SSL/TLS decryption to inspect the POST body on HTTPS traffic — deploy with 'deployment SSLDecrypt' as noted in the rule metadata.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck9.1CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.