CVE-2018-13374
CVE-2018-13374 is a medium-severity vulnerability in Fortinet Fortiadc with a CVSS 3.x base score of 4.3. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-09-08). The underlying weakness is classified as CWE-732.
Key facts
- Severity: Medium (CVSS 3.x base score 4.3)
- CVSS v2: 4.0
- EPSS exploit prediction: 38% (98th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-09-08)
- EU (EUVD) id: EUVD-2018-5318
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-09-08)
- Weakness: CWE-732
- Affected product: Fortinet Fortiadc
- Published:
- Last modified:
Description
A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.
Fortinet LDAP Credential Disclosure in FortiOS and FortiADC (CVE-2018-13374)
AI-generated analysis based on the vulnerability data on this page.
Summary
Fortinet FortiOS and FortiADC contain an access control flaw that exposes configured LDAP credentials when an administrator initiates a connectivity test. An attacker with sufficient privileges can redirect the test to a rogue LDAP server and capture the authentication credentials sent during the check.
Background
Fortinet FortiOS is the operating system powering FortiGate next-generation firewalls, while FortiADC is an application delivery controller. Both products support LDAP integration for authentication and directory services. During troubleshooting or configuration verification, administrators can initiate LDAP server connectivity tests from the management interface. This feature became a target for credential theft when it was found to lack sufficient access controls over the destination of the test request.
Root Cause
The vulnerability is classified as CWE-732. The root cause lies in the improper validation of the LDAP server endpoint during connectivity tests. When an administrator triggers a test, the device transmits the configured bind credentials to verify authentication. The implementation fails to enforce that the test request reaches only the pre-configured, legitimate LDAP server, allowing an attacker to substitute or redirect the request to an attacker-controlled endpoint without adequate authorization checks.
Impact
The CVSS v3.1 score is 4.3 (Medium), with a confidentiality impact rated Low. The attack vector is Network, complexity is Low, and requires Low privileges. No integrity or availability impact is assessed. The primary risk is credential disclosure: an attacker who obtains LDAP bind credentials can reuse them to access directory services, escalate privileges within the enterprise, or pivot to other systems that rely on the same credentials. The EPSS score of 0.38088 places this vulnerability in the 98.37th percentile, indicating a historically high probability of exploitation.
Exploitation Walkthrough
From a defensive perspective, the attack flow is straightforward. An attacker with administrative or sufficient configuration privileges accesses the LDAP server settings and initiates a connectivity test. By manipulating network conditions or DNS resolution, the attacker directs the test traffic to a rogue LDAP server under their control. The Fortinet device then sends the stored bind credentials to the rogue server during the authentication phase, allowing the attacker to capture them.
Ethics caveat: This description is intentionally generic and defensive in nature. It is provided to help defenders understand the attack surface and test their own compensating controls. Weaponized exploit code or step-by-step instructions for unauthorized exploitation are not included.
Affected and Patched Versions
Affected products include:
- Fortinet FortiOS 6.0.2, 5.6.7, and earlier versions
- Fortinet FortiADC 6.1.0, 6.0.0 to 6.0.1, and 5.4.0 to 5.4.4
Specific patch information is not available in the source data. Organizations should consult the FortiGuard advisory referenced below for the definitive list of fixed releases and upgrade paths.
Remediation
- Upgrade: Apply the latest patched firmware provided by Fortinet for FortiOS and FortiADC. Verify through the FortiGuard advisory that the installed version is no longer affected.
- Compensating controls: Until patching is complete, restrict administrative access to Fortinet management interfaces to trusted networks and enforce multi-factor authentication for admin accounts. Monitor LDAP credential usage for anomalous authentication patterns from unexpected sources.
Detection
- Monitor firewall and network logs for LDAP connections from Fortinet management interfaces to unexpected or external IP addresses.
- Review administrative audit logs for unauthorized or unusual connectivity test events.
- Correlate LDAP bind attempts with baseline directory server IP addresses; deviations may indicate credential redirection.
- Leverage SIEM rules to flag FortiOS and FortiADC management sessions that trigger external LDAP traffic.
Assessment
This vulnerability was added to the CISA Known Exploited Vulnerabilities Catalog on 2022-09-08, confirming real-world exploitation. With an EPSS score of 0.38088 and a 98.37th percentile ranking, it is among the most reliably exploited historical CVEs. The relatively low CVSS v3.1 score of 4.3 reflects limited confidentiality impact, but the exposure of LDAP credentials can cascade into broader domain compromise. Two lessons emerge: first, connectivity-test features must validate destination endpoints strictly; second, credentials stored in network appliances should be rotated regularly and monitored for anomalous reuse.
References
Frequently asked questions
- What is CVE-2018-13374?
- A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.
- How severe is CVE-2018-13374?
- CVE-2018-13374 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2018-13374 being actively exploited?
- Yes. CVE-2018-13374 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-09-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2018-13374?
- CVE-2018-13374 primarily affects Fortinet Fortiadc. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2018-13374?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2018-13374 have an EU (EUVD) identifier?
- Yes. CVE-2018-13374 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-5318. It is also flagged as exploited in the EUVD (since 2022-09-08).
- When was CVE-2018-13374 published?
- CVE-2018-13374 was published on 2019-01-22 and last updated on 2026-06-17.
References
- https://fortiguard.com/advisory/FG-IR-18-157
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13374
Affected products (3)
- cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortiadc:6.1.0:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
More vulnerabilities in Fortinet Fortiadc
- CVE-2023-37933 — High (CVSS 8.8): An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in…
- CVE-2022-39947 — High (CVSS 8.8): A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiADC…
- CVE-2022-38374 — High (CVSS 8.8): A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiADC 7.0.0 -…
- CVE-2023-26205 — High (CVSS 8.1): An improper access control vulnerability [CWE-284] in FortiADC automation feature 7.1.0 through 7.1.2, 7.0 all…
- CVE-2022-35851 — High (CVSS 8.0): An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC management interface…
- CVE-2023-25607 — High (CVSS 7.8): An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78 ]…
All CVEs affecting Fortinet Fortiadc →
Other CWE-732 (Incorrect Permission Assignment for Critical Resource) vulnerabilities
- CVE-2026-9508 — Critical (CVSS 10.0): Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow…
- CVE-2025-14988 — Critical (CVSS 10.0): A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain…
- CVE-2025-69426 — Critical (CVSS 10.0): The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating…
- CVE-2025-12004 — Critical (CVSS 10.0): Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown…
- CVE-2014-125121 — Critical (CVSS 10.0): Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation…
- CVE-2025-46093 — Critical (CVSS 9.9): LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to…
Browse all CWE-732 (Incorrect Permission Assignment for Critical Resource) vulnerabilities →