Last week, a list of almost 50,000 Fortinet VPN devices vulnerable to CVE-2018-13379 was leaked. The situation has evolved: the group behind the leak has begun dumping archives of plain-text credentials and access rights harvested from these devices. These archives are being widely shared across the internet.

In addition to VPN compromise, users listed in the archive may be vulnerable to credential stuffing attacks. Credential stuffing uses such dumps to compromise other accounts where credentials have been reused or permuted. This may lead to further compromises of personal or professional user accounts.

We reiterate the urgency for patching vulnerable Fortinet devices, as well as reviewing logs to identify vulnerable user accounts.

Original Advisory: Tuesday, 24 November 2020

A list of almost 50,000 Fortinet VPN devices vulnerable to CVE-2018-13379 has been leaked to a hacker forum. The vulnerability is a path traversal flaw which allows unauthenticated remote attackers access to system files via HTTP requests. The leak includes commands to steal login credentials from 49,577 unpatched FortiOS SSL VPN devices.

Researchers have commented that slow patching procedures have left a large number of organisations vulnerable to the two-year-old exploit.

Fortinet has issued a statement with regards to this vulnerability:

“The security of our customers is our first priority. In May 2019 Fortinet issued a PSIRT advisory regarding an SSL vulnerability that was resolved, and have also communicated directly with customers and again via corporate blog posts in August 2019 and July 2020 strongly recommending an upgrade.”

We recommend patching this severe vulnerability immediately and prioritising the review of Fortinet logs.