CVE-2018-13379 Explained: Fortinet FortiGate VPN Path Traversal and Credential Exposure
A CVSS 9.8 pre-authentication path traversal in Fortinet FortiOS SSL VPN. Credentials from tens of thousands of devices posted publicly. Exploited years after patching.
Founder & Cybersecurity Evangelist
CVE-2018-13379 is a pre-authentication path traversal vulnerability in the Fortinet FortiOS SSL VPN web portal. Disclosed in May 2019, it scores 9.8 on the CVSS v3 scale. An unauthenticated attacker with network access to the VPN portal can craft a URL that causes the FortiGate appliance to read and return arbitrary files from its filesystem — including session files containing plaintext VPN credentials.
The vulnerability's exploitation lifecycle extended years beyond patching. In September 2021, a threat actor published a list of 87,000 FortiGate VPN credentials extracted via CVE-2018-13379. Analysis confirmed that many of the listed devices had been patched — but their credentials had never been rotated after the exploitation window, leaving them permanently exposed.
The Path Traversal: How Credentials Are Extracted
The Fortinet FortiOS SSL VPN web portal handles HTTP requests for various portal resources. In vulnerable versions, the URL routing logic fails to sanitize path traversal sequences before resolving the requested file path against the filesystem.
By injecting directory traversal sequences (/../) into the URL path, an unauthenticated attacker can navigate outside the intended web root and access system files. The most sensitive target is the FortiOS session file at /dev/cmdb/sslvpn_websession, which stores active and recently active VPN session data including plaintext credentials for users authenticated to the SSL VPN.
A single HTTP GET request to a crafted URL extracts this session file. No authentication, no valid session cookie, and no prior interaction with the device is required. Automated scanners can identify and extract credentials from vulnerable FortiGate devices at internet scale within hours.
Affected versions include FortiOS 6.0.0 through 6.0.4, FortiOS 5.6.3 through 5.6.7, and FortiOS 5.4.6 through 5.4.12. The SSL VPN portal (web-mode) must be enabled for exploitation — a common deployment configuration.
Identify exposed FortiGate SSL VPN portals
Scan for Fortinet FortiGate SSL VPN web portals exposed on HTTPS port 443. The login page is distinctive, with Fortinet branding and SSL VPN portal elements. Shodan and Censys indexes list tens of thousands of exposed appliances.
Send path traversal request
Send an unauthenticated GET request with path traversal sequences targeting the SSL VPN session file. The response body contains the raw session file data — no authentication or session token required.
Extract plaintext credentials
Parse the session file for username and password fields. Credentials stored in the session file are accessible in plaintext or easily reversible format for recently authenticated VPN users.
Authenticate to the VPN
Use the extracted credentials to authenticate to the FortiGate SSL VPN as the compromised user. Gain internal network access equivalent to that user's VPN permissions — often unrestricted access to corporate internal networks.
Lateral movement and persistence
Use the established VPN connection as a launchpad for internal reconnaissance and lateral movement. The connection appears as a legitimate VPN session from the user's credentials, complicating detection.
The 2021 Data Dump: Why Patched Devices Still Had Exposed Credentials
In September 2021, a threat actor published 87,000+ FortiGate VPN credentials on a cybercriminal forum. Fortinet investigated and confirmed the credentials were obtained via CVE-2018-13379. Critically, Fortinet also confirmed that many of the listed devices were running patched FortiOS versions.
This apparent paradox has a straightforward explanation: the patch fixed the path traversal vulnerability — preventing future credential extraction. But it did not invalidate credentials that had already been extracted before or after patching. Users whose credentials were captured during the exploitation window continued to have the same passwords, making the stolen credentials permanently valid for VPN authentication until the passwords were changed.
The 2021 publication represented a threat actor releasing a credential database that may have been collected over an extended period, including during mass exploitation campaigns running in 2019 and 2020. Recipients of that published list could authenticate to FortiGate VPNs using credentials that were years old — because the underlying account passwords had never been changed.
Nation-state actors attributed to Chinese and Iranian groups were among those identified exploiting CVE-2018-13379. CISA's March 2020 advisory (AA20-073A) specifically called out active APT exploitation for initial access to government and commercial sector targets.
“If CVE-2018-13379 has not been patched, we recommend assuming the device has been compromised. Additionally, we recommend changing passwords even if the device has been patched, as credentials may have already been exfiltrated.”
— Fortinet PSIRT, September 2021
Patching and Fully Remediating CVE-2018-13379
Fortinet released patches in May 2019. If you are still running vulnerable FortiOS versions, take immediate action. If you have patched but not rotated credentials, you remain at risk from already-extracted credentials.
Upgrade FortiOS to a patched version
Upgrade to FortiOS 6.0.5, 5.6.8, 5.4.13, or any later release. Verify the running firmware version via the FortiGate CLI: get system status | grep Version. Any version in the vulnerable ranges listed above must be upgraded.
Rotate all VPN user credentials — non-negotiable
Require all users to change their VPN authentication passwords regardless of whether you believe the device was exploited. Credentials extracted before or during your patch window may have been collected and may still be valid. This is the most critical step.
Enable two-factor authentication on all VPN access
Implementing MFA — TOTP, push notifications, or hardware tokens — on FortiGate SSL VPN access ensures that stolen credentials cannot be used alone. This is the most effective long-term protection against credential-based VPN compromise.
Check for unauthorized VPN sessions and accounts
Review FortiGate VPN logs for successful logins from unusual source IPs, geographic locations, or at unusual hours. Compare against normal user access patterns. Review local user accounts for unauthorized additions.
Restrict SSL VPN portal access by geographic IP range
If your user population connects from predictable regions, configure FortiGate IP address policies to block SSL VPN access from unexpected source countries. This limits the value of stolen credentials used from attacker infrastructure in unexpected geolocations.
The bottom line
CVE-2018-13379 and its multi-year exploitation arc illustrate the hidden duration of credential compromise. The vulnerability was patched in 2019. Credentials were still being used for unauthorized access in 2021 — two years later — because patching a file read vulnerability does not change the passwords that were read.
VPN credentials are high-value because they provide direct network access. In organizations with split-tunnel or full-tunnel VPN configurations providing unrestricted internal access, a single valid credential represents a complete network perimeter bypass. APTs use exactly this access vector because it is silent, authenticated, and difficult to distinguish from legitimate employee connections.
The complete remediation for any credential-exposing vulnerability is patch plus mandatory credential rotation plus investigation. Two of those three steps are consistently overlooked. All three are required.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.