CVE-2018-13383
CVE-2018-13383 is a medium-severity vulnerability in Fortinet Fortiproxy with a CVSS 3.x base score of 4.3. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-01-10). The underlying weakness is classified as CWE-787.
Key facts
- Severity: Medium (CVSS 3.x base score 4.3)
- CVSS v2: 4.3
- EPSS exploit prediction: 34% (98th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-01-10)
- EU (EUVD) id: EUVD-2018-5327
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-01-10)
- Weakness: CWE-787
- Affected product: Fortinet Fortiproxy
- Published:
- Last modified:
Description
A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.
CVE-2018-13383: Heap Buffer Overflow in Fortinet FortiOS SSL VPN Web Portal
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2018-13383 is a heap buffer overflow vulnerability in the SSL VPN web portal of Fortinet FortiOS and FortiProxy. When an authenticated user accesses a proxied webpage through the SSL VPN tunnel, the system fails to correctly process javascript href data, causing memory corruption and a subsequent crash of the SSL VPN web service. This terminates active sessions for logged-in users.
Background
Fortinet FortiOS and FortiProxy are widely deployed in enterprise edge networks to provide secure remote access via SSL VPN. The SSL VPN web portal acts as a reverse proxy, allowing users to browse internal resources without a full VPN client. The proxying engine must sanitize and rewrite HTML, CSS, and JavaScript content on the fly. Historically, Fortinet SSL VPN endpoints have been high-value targets for both state-sponsored and financially motivated actors, making any service-termination or memory-corruption flaw in this path operationally significant.
Root Cause
The vulnerability is classified as CWE-787: Out-of-bounds Write (heap buffer overflow). Specifically, the SSL VPN web-portal proxy engine does not properly validate or bound the length of javascript href attributes when rewriting proxied webpages. When the proxy encounters a malformed or oversized JavaScript URI scheme in an HTML anchor tag, it writes beyond the bounds of a heap-allocated buffer. The lack of sufficient input length checks during HTML parsing and URL rewriting is the direct technical cause.
Impact
- Availability Impact: The overflow corrupts heap metadata, causing the SSL VPN web daemon to crash. All currently logged-in users lose their sessions, and the service becomes unavailable until the daemon restarts.
- Confidentiality / Integrity Impact: None. The CVSS v3 vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:Lconfirms no confidentiality or integrity impact; the attack affects availability only. - CVSS v3 Score: 4.3 (MEDIUM)
- CVSS v2 Score: 4.3
Exploitation Walkthrough
This section is provided for defensive and awareness purposes only. The following description is generic and does not constitute a working exploit.
An attacker with valid SSL VPN credentials authenticates to the Fortinet SSL VPN web portal and navigates to an internal webpage under their control. The attacker crafts a webpage containing an HTML anchor tag with an oversized javascript href payload. When the FortiOS proxy engine rewrites the page for the client, the unsanitized href data triggers the heap buffer overflow, crashing the SSL VPN daemon. The attack does not require user interaction beyond the victim user browsing the malicious page.
Ethics caveat: This information is intended for security operations, detection engineering, and patch prioritization. Developing, distributing, or deploying weaponized exploit code is unlawful and unethical.
Affected and Patched Versions
| Product | Affected Versions |
|---|---|
| FortiOS | 6.0.0 through 6.0.4 |
| FortiOS | 5.6.0 through 5.6.10 |
| FortiOS | 5.4.0 through 5.4.12 |
| FortiOS | 5.2.14 and earlier |
| FortiProxy | 2.0.0 |
| FortiProxy | 1.2.8 and earlier |
Administrators should consult Fortinet PSIRT advisories for exact patched releases. At the time of publication, the recommended remediation is to upgrade to a version not listed above.
Remediation
- Upgrade: Apply the latest FortiOS and FortiProxy patches released by Fortinet. Patched builds address the heap buffer overflow by adding proper bounds checking during proxy HTML rewriting.
- Compensating Controls: If immediate patching is not feasible:
- Restrict SSL VPN access to a tightly controlled IP allowlist.
- Enable multi-factor authentication (MFA) to reduce the likelihood of credential compromise.
- Monitor SSL VPN daemon crash logs and auto-restart behavior.
- Use an alternative full-tunnel VPN client where possible to reduce reliance on the web-proxy portal.
Detection
- Log Monitoring: Monitor FortiOS event logs for repeated SSL VPN daemon crashes or unexpected restarts of the web-proxy process.
- Network Monitoring: Look for anomalous patterns where authenticated SSL VPN sessions terminate simultaneously across multiple users.
- Endpoint Detection: On managed endpoints, browser history or proxy logs may show access to internal pages with unusually large
javascript hrefattributes immediately preceding a VPN disconnect. - CISA KEV: This vulnerability is catalogued in the Known Exploited Vulnerabilities (KEV) list, indicating confirmed active exploitation. Threat-intelligence feeds should be monitored for associated adversary behavior.
Assessment
- Exploitation Probability: With an EPSS score of 0.33647 (33.6%) and a 98.18th percentile ranking, this vulnerability sits in the top tier of observed exploitation likelihood. The EPSS model, combined with KEV inclusion (added 2022-01-10) and EUVD confirmation, strongly signals that this flaw has been and continues to be leveraged in the wild.
- Ransomware Context: The CVE is linked to ransomware campaigns, making it a priority for incident-response and disaster-recovery planning.
- Lessons: First, edge VPN appliances remain a critical and frequently attacked surface; even medium-severity availability flaws can be chained into larger intrusions. Second, the gap between original disclosure (2019) and ongoing KEV activity underscores the real-world risk of unpatched edge infrastructure.
References
Frequently asked questions
- What is CVE-2018-13383?
- A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.
- How severe is CVE-2018-13383?
- CVE-2018-13383 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability low.
- Is CVE-2018-13383 being actively exploited?
- Yes. CVE-2018-13383 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-01-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2018-13383?
- CVE-2018-13383 primarily affects Fortinet Fortiproxy. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2018-13383?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2018-13383 have an EU (EUVD) identifier?
- Yes. CVE-2018-13383 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-5327. It is also flagged as exploited in the EUVD (since 2022-01-10).
- When was CVE-2018-13383 published?
- CVE-2018-13383 was published on 2019-05-29 and last updated on 2026-06-17.
References
- https://fortiguard.com/advisory/FG-IR-18-388
- https://fortiguard.com/advisory/FG-IR-20-229
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13383
Affected products (3)
- cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortiproxy:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
More vulnerabilities in Fortinet Fortiproxy
- CVE-2026-24858 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet…
- CVE-2025-59718 — Critical (CVSS 9.8): A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0…
- CVE-2025-22252 — Critical (CVSS 9.8): A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager…
- CVE-2023-25610 — Critical (CVSS 9.8): A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version…
- CVE-2024-55591 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0…
- CVE-2023-42789 — Critical (CVSS 9.8): A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through…
All CVEs affecting Fortinet Fortiproxy →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…