CVE-2018-13382
CVE-2018-13382 is a critical-severity vulnerability in Fortinet Fortiproxy with a CVSS 3.x base score of 9.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-01-10). The underlying weakness is classified as CWE-863.
Key facts
- Severity: Critical (CVSS 3.x base score 9.1)
- CVSS v2: 5.0
- EPSS exploit prediction: 82% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-01-10)
- EU (EUVD) id: EUVD-2018-5326
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-01-10)
- Weakness: CWE-863
- Affected product: Fortinet Fortiproxy
- Published:
- Last modified:
Description
An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests
CVE-2018-13382: Fortinet SSL VPN Improper Authorization Enables Unauthenticated Password Modification
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2018-13382 |
| Vendor | Fortinet |
| Products | FortiOS, FortiProxy |
| CWE | CWE-863: Improper Authorization |
| CVSS v3.1 | 9.1 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| CVSS v2 | 5.0 — AV:N/AC:L/Au:N/C:N/I:P/A:N |
| EPSS | 0.81691 (99.6th percentile) |
| CISA KEV | Added 2022-01-10 |
| Published | 2019-06-04 |
| Source | NVD |
Summary
An improper authorization vulnerability in the SSL VPN web portal of Fortinet FortiOS and FortiProxy allows an unauthenticated remote attacker to modify the password of an existing SSL VPN web portal user by sending specially crafted HTTP requests. Because the vulnerable endpoint fails to enforce proper access controls on the password-change operation, the attacker needs no prior credentials or session token to trigger the change.
Background
Fortinet FortiOS is the operating system that powers FortiGate next-generation firewalls and related security appliances. The integrated SSL VPN web portal provides remote users with browser-based access to internal resources. FortiProxy is a dedicated secure web gateway that also offers SSL VPN capabilities. Both products expose a web-based management and user portal interface that was found to lack sufficient authorization checks on a password-modification endpoint.
Root Cause
The vulnerability maps to CWE-863: Improper Authorization. The SSL VPN web portal contained a code path that handled password changes without verifying that the requester was already authenticated and authorized to modify the target account. As a result, the affected endpoint accepted password-change requests from arbitrary, unauthenticated network sources. This is a classic authorization-logic defect: the application performed authentication checks on some routes but omitted or bypassed them on the password-reset path.
Impact
The NVD CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, yielding a base score of 9.1 (Critical).
- Attack Vector (AV): Network — The service is reachable over the internet in typical deployments.
- Attack Complexity (AC): Low — No special conditions are required; a single HTTP request is sufficient.
- Privileges Required (PR): None — The attacker does not need a valid account or API key.
- User Interaction (UI): None — The target user does not need to click a link or perform any action.
- Scope (S): Unchanged — The vulnerable component is the SSL VPN portal itself.
- Confidentiality (C): High — Changing a legitimate user's password grants the attacker access to that account and any resources it can reach.
- Integrity (I): High — The attacker can alter account credentials at will.
- Availability (A): None — The flaw does not directly crash the appliance or deny service.
The older CVSS v2 score of 5.0 understates real-world risk because it does not capture the confidentiality impact of account takeover. In practice, successful exploitation provides an attacker with a foothold inside the VPN and, by extension, the internal network.
Exploitation Walkthrough
Ethics caveat: This section is written from a defender's perspective to help blue teams understand attack mechanics and improve detection coverage. No weaponized exploit code is provided.
An attacker typically proceeds as follows:
- Reconnaissance — Identify a publicly exposed Fortinet SSL VPN web portal, usually on TCP 443 or TCP 10443.
- Endpoint discovery — The password-change functionality is exposed via a specific HTTP request path in the SSL VPN web portal.
- Request crafting — The attacker sends an HTTP POST (or equivalent method, depending on the firmware version) containing the target username and the desired new password. Because the endpoint lacks authorization checks, the server processes the request as if it were legitimate.
- Account takeover — With the password changed, the attacker authenticates to the SSL VPN using the compromised user's credentials and gains access to internal resources.
Defenders should note that exploitation leaves network artifacts (HTTP requests to the SSL VPN portal) but does not necessarily generate failed-authentication events prior to the malicious password change.
Affected and Patched Versions
Based on the vendor advisory and CPE data:
FortiOS
- Affected: 6.0.0 through 6.0.4
- Affected: 5.6.0 through 5.6.8
- Affected: 5.4.1 through 5.4.10
FortiProxy
- Affected: 2.0.0
- Affected: 1.2.0 through 1.2.8
- Affected: 1.1.0 through 1.1.6
- Affected: 1.0.0 through 1.0.7
Exact patch levels are not specified in the source data; administrators should consult the Fortinet PSIRT advisory for the exact fixed releases and upgrade paths.
Remediation
- Upgrade firmware — Apply the latest patched FortiOS and FortiProxy releases available from Fortinet's support portal. Vendor-confirmed patch levels are documented in the official PSIRT advisory.
- Disable SSL VPN web portal — If the SSL VPN web portal is not required, disable the feature entirely to eliminate the attack surface.
- Restrict network exposure — Use firewall rules to limit SSL VPN portal access to trusted IP ranges or require connection through a jump host or VPN concentrator.
- Multi-factor authentication (MFA) — Enforce MFA for all SSL VPN users. While MFA does not prevent the password change itself, it can block account takeover if the attacker attempts to use the stolen credentials.
- Audit and reset passwords — If exploitation is suspected, force a password reset for all SSL VPN users and review VPN access logs for unauthorized sessions.
Detection
- WAF / reverse-proxy logs — Monitor for unexpected HTTP requests to SSL VPN portal paths that contain password-change parameters from unauthenticated source IPs.
- FortiOS event logs — Review VPN and system event logs for anomalous password-change events or simultaneous logins from unusual geolocations.
- SIEM correlation — Correlate SSL VPN portal requests with subsequent successful VPN tunnel establishments from the same source IP or new user-agent strings.
- Honeypot / canary accounts — Maintain a non-functional SSL VPN account and alert if its password is ever modified.
Assessment
CVE-2018-13382 carries an EPSS of 0.81691 (81.7% probability of exploitation within 30 days), placing it in the 99.6th percentile of all scored CVEs. It is also listed in the CISA Known Exploited Vulnerabilities (KEV) catalog since 10 January 2022, confirming active, in-the-wild exploitation.
Key lessons:
- Authorization must cover every state-changing endpoint. Password-reset and password-change functions are high-value targets and should always require strong authentication and authorization checks.
- Internet-exposed VPN concentrators are a perennial target. Continuous attack-surface monitoring and aggressive patching of edge security appliances remain essential.
References
Frequently asked questions
- What is CVE-2018-13382?
- An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests
- How severe is CVE-2018-13382?
- CVE-2018-13382 has a CVSS 3.x base score of 9.1, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2018-13382 being actively exploited?
- Yes. CVE-2018-13382 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-01-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2018-13382?
- CVE-2018-13382 primarily affects Fortinet Fortiproxy. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2018-13382?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2018-13382 have an EU (EUVD) identifier?
- Yes. CVE-2018-13382 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-5326. It is also flagged as exploited in the EUVD (since 2022-01-10).
- When was CVE-2018-13382 published?
- CVE-2018-13382 was published on 2019-06-04 and last updated on 2026-06-17.
References
- https://fortiguard.com/advisory/FG-IR-18-389
- https://www.fortiguard.com/psirt/FG-IR-20-231
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13382
Affected products (3)
- cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortiproxy:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
More vulnerabilities in Fortinet Fortiproxy
- CVE-2026-24858 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet…
- CVE-2025-59718 — Critical (CVSS 9.8): A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0…
- CVE-2025-22252 — Critical (CVSS 9.8): A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager…
- CVE-2023-25610 — Critical (CVSS 9.8): A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version…
- CVE-2024-55591 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0…
- CVE-2023-42789 — Critical (CVSS 9.8): A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through…
All CVEs affecting Fortinet Fortiproxy →
Other CWE-863 (Incorrect Authorization) vulnerabilities
- CVE-2026-48286 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization…
- CVE-2026-48303 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization…
- CVE-2026-44330 — Critical (CVSS 10.0): free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the…
- CVE-2026-46595 — Critical (CVSS 10.0): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of…
- CVE-2026-33105 — Critical (CVSS 10.0): Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over…
- CVE-2026-32213 — Critical (CVSS 10.0): Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
Browse all CWE-863 (Incorrect Authorization) vulnerabilities →