CVE-2018-13379
CVE-2018-13379 is a critical-severity vulnerability in Fortinet Fortiproxy with a CVSS 3.x base score of 9.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 9.1)
- CVSS v2: 5.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2018-5323
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-22
- Affected product: Fortinet Fortiproxy
- Published:
- Last modified:
Description
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
CVE-2018-13379: Fortinet SSL VPN Path Traversal Enables System File Disclosure
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2018-13379 |
| CVSS v3 | 9.1 (CRITICAL) |
| CVSS v2 | 5.0 |
| EPSS | 0.99999 |
| CWE | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") |
| KEV | Yes (added 2021-11-03) |
| Affected | Fortinet FortiOS, FortiProxy |
Summary
A path traversal vulnerability in Fortinet FortiOS and FortiProxy SSL VPN web portals allows unauthenticated remote attackers to download arbitrary system files via specially crafted HTTP requests.
Background
Fortinet FortiOS is the operating system powering Fortinet's FortiGate firewall appliances, and FortiProxy is a secure web gateway product. Both products include an SSL VPN web portal feature that provides remote access for users. In affected versions, this portal is vulnerable to a path traversal flaw that can be exploited without authentication, making it a high-priority target for both opportunistic and advanced threat actors.
Root Cause
This vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). The SSL VPN web portal fails to properly sanitize or restrict user-supplied pathnames in HTTP resource requests. An attacker can inject directory traversal sequences (e.g., ../) to escape the intended web root and access arbitrary files on the underlying system. The root cause is inadequate input validation on the resource request parameters handled by the SSL VPN portal.
Impact
The CVSS v3.1 score is 9.1 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H. The metrics reflect:
- Network-based attack with no authentication required.
- Low attack complexity — the vulnerability is trivially exploitable.
- High confidentiality impact — arbitrary system files can be read.
- High availability impact — the CVSS v3 metrics indicate availability impact is HIGH, though the v2 metrics show no availability impact.
The CVSS v2 score is 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N), indicating partial confidentiality impact with no integrity or availability impact. The discrepancy between v2 and v3 scoring is notable; the v3 score more accurately captures the severity of unauthenticated file disclosure on an edge-facing VPN appliance.
With an EPSS of 0.99999 and EPSS percentile of 0.99994, this vulnerability is statistically almost certain to be exploited in the wild.
Exploitation Walkthrough
Ethics caveat: This section describes the vulnerability mechanism for defensive purposes only. Attempting to exploit systems without explicit authorization is illegal and unethical. The details below are intentionally generic to support detection and remediation efforts.
The attack is launched against the SSL VPN web portal endpoint. The vulnerability exists in the handling of HTTP resource requests where the server constructs a file path from user input without proper sanitization. An attacker sends an HTTP request with directory traversal characters embedded in the resource path parameter. Because the application does not validate or restrict the path, the server resolves the request to a file outside the intended web directory and returns its contents in the HTTP response.
This is a classic directory traversal vulnerability exposed on an externally accessible, unauthenticated endpoint. Attackers have historically used this to retrieve sensitive system files such as SSL VPN session files, which may contain credentials or session tokens that enable further compromise.
Affected and Patched Versions
Affected products:
- Fortinet FortiOS: 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12
- Fortinet FortiProxy: 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, and 1.0.0 to 1.0.7
Patched versions: The exact patched versions are not provided in the available data. Administrators should upgrade to the latest FortiOS and FortiProxy releases available from Fortinet and consult the FortiGuard PSIRT advisory for specific patch guidance.
Remediation
- Upgrade immediately: Apply the latest Fortinet firmware updates for FortiOS and FortiProxy. Given the KEV status and near-certain EPSS probability, patching should be treated as an emergency priority.
- Disable SSL VPN web portal: If the SSL VPN web portal is not required, disable it until patching is complete.
- Network segmentation: Restrict access to the SSL VPN portal to authorized IP ranges using firewall rules or network segmentation.
- Multi-factor authentication (MFA): Enforce MFA for all VPN access where supported, though this vulnerability is pre-authentication and MFA alone does not prevent exploitation.
- Certificate and credential rotation: If exploitation is suspected, rotate VPN certificates, admin credentials, and any credentials that may have been exposed in downloaded system files.
Detection
- Monitor web server logs for the SSL VPN portal for HTTP requests containing directory traversal patterns (
../,%2e%2e%2f, etc.) in resource path parameters. - Look for anomalous file access attempts or HTTP responses containing system file contents (e.g., session files, configuration files) from the SSL VPN portal endpoint.
- Correlate FortiGate/FortiProxy logs with SIEM rules for unauthorized file access or unexpected HTTP 200 responses from the VPN portal.
- Review historical access logs for the SSL VPN portal for signs of reconnaissance or exploitation, especially around 2021–2022 when KEV activity was confirmed.
Assessment
CVE-2018-13379 is one of the most actively exploited network-edge vulnerabilities on record. Its inclusion in CISA's Known Exploited Vulnerabilities catalog (added 2021-11-03) and its EPSS of 0.99999 confirm that it has been weaponized by threat actors at scale. The primary lesson is that externally accessible, unauthenticated endpoints must undergo rigorous input validation testing before deployment. A second lesson is that CVSS v2 scores can significantly understate the real-world risk of unauthenticated file disclosure vulnerabilities; the v3 score of 9.1 more accurately reflects the severity.
References
Frequently asked questions
- What is CVE-2018-13379?
- An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
- How severe is CVE-2018-13379?
- CVE-2018-13379 has a CVSS 3.x base score of 9.1, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability high.
- Is CVE-2018-13379 being actively exploited?
- Yes. CVE-2018-13379 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2018-13379?
- CVE-2018-13379 primarily affects Fortinet Fortiproxy. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2018-13379?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2018-13379 have an EU (EUVD) identifier?
- Yes. CVE-2018-13379 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-5323. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2018-13379 published?
- CVE-2018-13379 was published on 2019-06-04 and last updated on 2026-06-17.
References
- https://fortiguard.com/advisory/FG-IR-18-384
- https://www.fortiguard.com/psirt/FG-IR-20-233
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13379
Affected products (3)
- cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortiproxy:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
More vulnerabilities in Fortinet Fortiproxy
- CVE-2026-24858 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet…
- CVE-2025-59718 — Critical (CVSS 9.8): A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0…
- CVE-2025-22252 — Critical (CVSS 9.8): A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager…
- CVE-2023-25610 — Critical (CVSS 9.8): A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version…
- CVE-2024-55591 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0…
- CVE-2023-42789 — Critical (CVSS 9.8): A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through…
All CVEs affecting Fortinet Fortiproxy →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…