CVE-2018-13374

CVE-2018-13374 is a medium-severity vulnerability in Fortinet Fortiadc with a CVSS 3.x base score of 4.3. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-09-08). The underlying weakness is classified as CWE-732.

Key facts

Description

A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.

Fortinet LDAP Credential Disclosure in FortiOS and FortiADC (CVE-2018-13374)

AI-generated analysis based on the vulnerability data on this page.

Summary

Fortinet FortiOS and FortiADC contain an access control flaw that exposes configured LDAP credentials when an administrator initiates a connectivity test. An attacker with sufficient privileges can redirect the test to a rogue LDAP server and capture the authentication credentials sent during the check.

Background

Fortinet FortiOS is the operating system powering FortiGate next-generation firewalls, while FortiADC is an application delivery controller. Both products support LDAP integration for authentication and directory services. During troubleshooting or configuration verification, administrators can initiate LDAP server connectivity tests from the management interface. This feature became a target for credential theft when it was found to lack sufficient access controls over the destination of the test request.

Root Cause

The vulnerability is classified as CWE-732. The root cause lies in the improper validation of the LDAP server endpoint during connectivity tests. When an administrator triggers a test, the device transmits the configured bind credentials to verify authentication. The implementation fails to enforce that the test request reaches only the pre-configured, legitimate LDAP server, allowing an attacker to substitute or redirect the request to an attacker-controlled endpoint without adequate authorization checks.

Impact

The CVSS v3.1 score is 4.3 (Medium), with a confidentiality impact rated Low. The attack vector is Network, complexity is Low, and requires Low privileges. No integrity or availability impact is assessed. The primary risk is credential disclosure: an attacker who obtains LDAP bind credentials can reuse them to access directory services, escalate privileges within the enterprise, or pivot to other systems that rely on the same credentials. The EPSS score of 0.38088 places this vulnerability in the 98.37th percentile, indicating a historically high probability of exploitation.

Exploitation Walkthrough

From a defensive perspective, the attack flow is straightforward. An attacker with administrative or sufficient configuration privileges accesses the LDAP server settings and initiates a connectivity test. By manipulating network conditions or DNS resolution, the attacker directs the test traffic to a rogue LDAP server under their control. The Fortinet device then sends the stored bind credentials to the rogue server during the authentication phase, allowing the attacker to capture them.

Ethics caveat: This description is intentionally generic and defensive in nature. It is provided to help defenders understand the attack surface and test their own compensating controls. Weaponized exploit code or step-by-step instructions for unauthorized exploitation are not included.

Affected and Patched Versions

Affected products include:

  • Fortinet FortiOS 6.0.2, 5.6.7, and earlier versions
  • Fortinet FortiADC 6.1.0, 6.0.0 to 6.0.1, and 5.4.0 to 5.4.4

Specific patch information is not available in the source data. Organizations should consult the FortiGuard advisory referenced below for the definitive list of fixed releases and upgrade paths.

Remediation

  1. Upgrade: Apply the latest patched firmware provided by Fortinet for FortiOS and FortiADC. Verify through the FortiGuard advisory that the installed version is no longer affected.
  2. Compensating controls: Until patching is complete, restrict administrative access to Fortinet management interfaces to trusted networks and enforce multi-factor authentication for admin accounts. Monitor LDAP credential usage for anomalous authentication patterns from unexpected sources.

Detection

  • Monitor firewall and network logs for LDAP connections from Fortinet management interfaces to unexpected or external IP addresses.
  • Review administrative audit logs for unauthorized or unusual connectivity test events.
  • Correlate LDAP bind attempts with baseline directory server IP addresses; deviations may indicate credential redirection.
  • Leverage SIEM rules to flag FortiOS and FortiADC management sessions that trigger external LDAP traffic.

Assessment

This vulnerability was added to the CISA Known Exploited Vulnerabilities Catalog on 2022-09-08, confirming real-world exploitation. With an EPSS score of 0.38088 and a 98.37th percentile ranking, it is among the most reliably exploited historical CVEs. The relatively low CVSS v3.1 score of 4.3 reflects limited confidentiality impact, but the exposure of LDAP credentials can cascade into broader domain compromise. Two lessons emerge: first, connectivity-test features must validate destination endpoints strictly; second, credentials stored in network appliances should be rotated regularly and monitored for anomalous reuse.

References

Frequently asked questions

What is CVE-2018-13374?
A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.
How severe is CVE-2018-13374?
CVE-2018-13374 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2018-13374 being actively exploited?
Yes. CVE-2018-13374 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-09-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2018-13374?
CVE-2018-13374 primarily affects Fortinet Fortiadc. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2018-13374?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2018-13374 have an EU (EUVD) identifier?
Yes. CVE-2018-13374 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-5318. It is also flagged as exploited in the EUVD (since 2022-09-08).
When was CVE-2018-13374 published?
CVE-2018-13374 was published on 2019-01-22 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Fortinet Fortiadc

All CVEs affecting Fortinet Fortiadc →

Other CWE-732 (Incorrect Permission Assignment for Critical Resource) vulnerabilities

Browse all CWE-732 (Incorrect Permission Assignment for Critical Resource) vulnerabilities →