CVE-2018-13382
published 2019-06-04CVE-2018-13382: An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to…
PriorityP190high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
81.69%
99.6th percentile
An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | >= 5.4.1 < 5.4.11 | 5.4.11 |
| fortinet | fortios | >= 5.6.0 < 5.6.9 | 5.6.9 |
| fortinet | fortios | >= 6.0.0 < 6.0.5 | 6.0.5 |
| fortinet | fortiproxy | < 1.2.9 | 1.2.9 |
| fortinet | fortiproxy | — | — |
| fortinet | fortiproxy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Improper Authorization Vulnerability (CVE-2018-13382)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remote/logincheck"; startswith; fast_pattern; endswith; http.request_body; content:"ajax=1"; content:"&username="; content:"&credential="; content:"&magic="; reference:cve,CVE-2018-13382; reference:url,github.com/milo2012/CVE-2018-13382/blob/master/CVE-2018-13382.py; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027885; rev:5; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, signature_severity Critical, tag CISA_KEV, updated_at 2024_04_13;)
- →Detect unauthenticated POST requests to /remote/logincheck containing the magic string '4tinet2095866' in the request body — this is the hardcoded 'magic' value used to bypass authentication and change SSL VPN user passwords. ↗
- →Alert on HTTP POST to /remote/logincheck where the body contains all four fields: ajax=1, &username=, &credential=, and &magic= — this combination is the exact exploit pattern per the ET rule (sid:2027885).
- →Only locally-authenticated SSL VPN users are affected; accounts using remote authentication (LDAP or RADIUS) are not impacted — scope detection and triage accordingly. ↗
- →Use the Google dork 'intitle:"Please Login" "Use FTM Push"' to identify exposed FortiOS SSL VPN portals that may be vulnerable targets. ↗
- →A successful exploit response contains the string '/remote/hostcheck_install' in the HTTP response body — monitor for this in SSL-decrypted traffic as a confirmation of successful password change. ↗
- ·The ET Snort rule (sid:2027885) requires SSL/TLS decryption to inspect the POST body on HTTPS traffic — deploy with 'deployment SSLDecrypt' as noted in the rule metadata.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck9.1CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Fortinet FortiOS and FortiProxy Improper Authorization
cisa·2022-01-10·CVSS 7.5
CVE-2018-13382 [HIGH] CWE-285 Fortinet FortiOS and FortiProxy Improper Authorization
Vulnerability: Fortinet FortiOS and FortiProxy Improper Authorization
Affected: Fortinet FortiOS and FortiProxy
An Improper Authorization vulnerability in Fortinet FortiOS and FortiProxy under SSL VPN web portal allows an unauthenticated attacker to modify the password.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-13382
Remediation Due Date: 2022-07-10
Fortinet
An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and Forti...
vendor_fortinet·2019-06-04·CVSS 9.1
CVE-2018-13382 [CRITICAL] CWE-863 An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and Forti...
FG-IR-18-389: An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and Forti...
An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests
CVEs: CVE-2018-13382
CWEs: CWE-863
CVSS: 9.1 (critical)
Affected products: FortiOS, FortiProxy, Fortinet
Fortinet
An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and Forti...
vendor_fortinet·2019-06-04·CVSS 9.1
CVE-2018-13382 [CRITICAL] CWE-863 An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and Forti...
FG-IR-20-231: An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and Forti...
An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests
CVEs: CVE-2018-13382
CWEs: CWE-863
CVSS: 9.1 (critical)
Affected products: FortiOS, FortiProxy, Fortinet
GHSA
GHSA-chg2-j3mj-m3rj: An Improper Authorization vulnerability in Fortinet FortiOS 6
ghsa_unreviewed·2022-05-24
CVE-2018-13382 [HIGH] CWE-285 GHSA-chg2-j3mj-m3rj: An Improper Authorization vulnerability in Fortinet FortiOS 6
An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests.
VulnCheck
Fortinet FortiOS and FortiProxy Improper Authorization
vulncheck·2018·CVSS 9.1
CVE-2018-13382 [CRITICAL] CWE-285 Fortinet FortiOS and FortiProxy Improper Authorization
Fortinet FortiOS and FortiProxy Improper Authorization
An Improper Authorization vulnerability in Fortinet FortiOS and FortiProxy under SSL VPN web portal allows an unauthenticated attacker to modify the password.
Affected: Fortinet FortiOS and FortiProxy
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities; https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2018-13382; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.cisa.gov/uscert/ncas/alerts/aa22-158a; https://cisa.gov/news-events/cybersecurity-advisories/aa22-158a
Exploit PoC: https://vulncheck.com/xdb/032ed957d9fa; https://vulncheck.com/xdb/bac14e8d2f95; htt
Suricata
ET EXPLOIT FortiOS SSL VPN - Improper Authorization Vulnerability (CVE-2018-13382)
suricata·2019-08-14·CVSS 9.1
CVE-2018-13382 [CRITICAL] ET EXPLOIT FortiOS SSL VPN - Improper Authorization Vulnerability (CVE-2018-13382)
ET EXPLOIT FortiOS SSL VPN - Improper Authorization Vulnerability (CVE-2018-13382)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Improper Authorization Vulnerability (CVE-2018-13382)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remote/logincheck"; startswith; fast_pattern; endswith; http.request_body; content:"ajax=1"; content:"&username="; content:"&credential="; content:"&magic="; reference:cve,CVE-2018-13382; reference:url,github.com/milo2012/CVE-2018-13382/blob/master/CVE-2018-13382.py; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027885; rev:5; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_a
Tenable
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
blogs_tenable·2021-08-25
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
FortiOS and SSL Vulnerabilities
blogs_fortinet·2019-08-28·CVSS 9.1
[CRITICAL] FortiOS and SSL Vulnerabilities
PSIRT BLOGS
FortiOS and SSL Vulnerabilities
By Fortinet | August 28, 2019
At the recent Black Hat 2019 conference held in Las Vegas this past August 3-8, security researchers discussed their discovery of security vulnerabilities that impacted several security vendors, including Fortinet. All of the vulnerabilities impacting Fortinet were fixed in April and May of 2019.
SSL VPN Vulnerabilities
Two of the vulnerabilities directly affected Fortinet’s implementation of SSL VPN. They are:
CVE-2018-13379 (FG-IR-18-384) – This is a path traversal vulnerability in the FortiOS SSL VPN web portal that could potentially allow an unauthenticated attacker to download files through specially crafted HTTP resource requests.
CVE-2018-13383 (FG-IR-18-388) – This heap buffer overflow vulnerability in t
Tenable
CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild
blogs_tenable·2019-08-27·CVSS 9.1
[CRITICAL] CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
2019-06-04
Published
2022-01-10
Added to CISA KEV
Exploited in the wild