CVE-2018-13379

CVE-2018-13379 is a critical-severity vulnerability in Fortinet Fortiproxy with a CVSS 3.x base score of 9.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.

Key facts

Description

An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

CVE-2018-13379: Fortinet SSL VPN Path Traversal Enables System File Disclosure

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2018-13379
CVSS v3 9.1 (CRITICAL)
CVSS v2 5.0
EPSS 0.99999
CWE CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")
KEV Yes (added 2021-11-03)
Affected Fortinet FortiOS, FortiProxy

Summary

A path traversal vulnerability in Fortinet FortiOS and FortiProxy SSL VPN web portals allows unauthenticated remote attackers to download arbitrary system files via specially crafted HTTP requests.

Background

Fortinet FortiOS is the operating system powering Fortinet's FortiGate firewall appliances, and FortiProxy is a secure web gateway product. Both products include an SSL VPN web portal feature that provides remote access for users. In affected versions, this portal is vulnerable to a path traversal flaw that can be exploited without authentication, making it a high-priority target for both opportunistic and advanced threat actors.

Root Cause

This vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). The SSL VPN web portal fails to properly sanitize or restrict user-supplied pathnames in HTTP resource requests. An attacker can inject directory traversal sequences (e.g., ../) to escape the intended web root and access arbitrary files on the underlying system. The root cause is inadequate input validation on the resource request parameters handled by the SSL VPN portal.

Impact

The CVSS v3.1 score is 9.1 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H. The metrics reflect:

  • Network-based attack with no authentication required.
  • Low attack complexity — the vulnerability is trivially exploitable.
  • High confidentiality impact — arbitrary system files can be read.
  • High availability impact — the CVSS v3 metrics indicate availability impact is HIGH, though the v2 metrics show no availability impact.

The CVSS v2 score is 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N), indicating partial confidentiality impact with no integrity or availability impact. The discrepancy between v2 and v3 scoring is notable; the v3 score more accurately captures the severity of unauthenticated file disclosure on an edge-facing VPN appliance.

With an EPSS of 0.99999 and EPSS percentile of 0.99994, this vulnerability is statistically almost certain to be exploited in the wild.

Exploitation Walkthrough

Ethics caveat: This section describes the vulnerability mechanism for defensive purposes only. Attempting to exploit systems without explicit authorization is illegal and unethical. The details below are intentionally generic to support detection and remediation efforts.

The attack is launched against the SSL VPN web portal endpoint. The vulnerability exists in the handling of HTTP resource requests where the server constructs a file path from user input without proper sanitization. An attacker sends an HTTP request with directory traversal characters embedded in the resource path parameter. Because the application does not validate or restrict the path, the server resolves the request to a file outside the intended web directory and returns its contents in the HTTP response.

This is a classic directory traversal vulnerability exposed on an externally accessible, unauthenticated endpoint. Attackers have historically used this to retrieve sensitive system files such as SSL VPN session files, which may contain credentials or session tokens that enable further compromise.

Affected and Patched Versions

Affected products:

  • Fortinet FortiOS: 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12
  • Fortinet FortiProxy: 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, and 1.0.0 to 1.0.7

Patched versions: The exact patched versions are not provided in the available data. Administrators should upgrade to the latest FortiOS and FortiProxy releases available from Fortinet and consult the FortiGuard PSIRT advisory for specific patch guidance.

Remediation

  1. Upgrade immediately: Apply the latest Fortinet firmware updates for FortiOS and FortiProxy. Given the KEV status and near-certain EPSS probability, patching should be treated as an emergency priority.
  2. Disable SSL VPN web portal: If the SSL VPN web portal is not required, disable it until patching is complete.
  3. Network segmentation: Restrict access to the SSL VPN portal to authorized IP ranges using firewall rules or network segmentation.
  4. Multi-factor authentication (MFA): Enforce MFA for all VPN access where supported, though this vulnerability is pre-authentication and MFA alone does not prevent exploitation.
  5. Certificate and credential rotation: If exploitation is suspected, rotate VPN certificates, admin credentials, and any credentials that may have been exposed in downloaded system files.

Detection

  • Monitor web server logs for the SSL VPN portal for HTTP requests containing directory traversal patterns (../, %2e%2e%2f, etc.) in resource path parameters.
  • Look for anomalous file access attempts or HTTP responses containing system file contents (e.g., session files, configuration files) from the SSL VPN portal endpoint.
  • Correlate FortiGate/FortiProxy logs with SIEM rules for unauthorized file access or unexpected HTTP 200 responses from the VPN portal.
  • Review historical access logs for the SSL VPN portal for signs of reconnaissance or exploitation, especially around 2021–2022 when KEV activity was confirmed.

Assessment

CVE-2018-13379 is one of the most actively exploited network-edge vulnerabilities on record. Its inclusion in CISA's Known Exploited Vulnerabilities catalog (added 2021-11-03) and its EPSS of 0.99999 confirm that it has been weaponized by threat actors at scale. The primary lesson is that externally accessible, unauthenticated endpoints must undergo rigorous input validation testing before deployment. A second lesson is that CVSS v2 scores can significantly understate the real-world risk of unauthenticated file disclosure vulnerabilities; the v3 score of 9.1 more accurately reflects the severity.

References

Frequently asked questions

What is CVE-2018-13379?
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
How severe is CVE-2018-13379?
CVE-2018-13379 has a CVSS 3.x base score of 9.1, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability high.
Is CVE-2018-13379 being actively exploited?
Yes. CVE-2018-13379 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2018-13379?
CVE-2018-13379 primarily affects Fortinet Fortiproxy. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2018-13379?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2018-13379 have an EU (EUVD) identifier?
Yes. CVE-2018-13379 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-5323. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2018-13379 published?
CVE-2018-13379 was published on 2019-06-04 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Fortinet Fortiproxy

All CVEs affecting Fortinet Fortiproxy →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →