Cyber Resilience

CVE-2018-13379

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 04 June 2019

Published
04 June 2019
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.9447 100.0th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-13379 is a critical-severity Path Traversal (CWE-22) vulnerability in Fortinet Fortios. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2018-13379 is a path traversal vulnerability (CWE-22) affecting the SSL VPN web portal in Fortinet FortiOS versions 6.0.0 through 6.0.4, 5.6.3 through 5.6.7, and 5.4.6 through 5.4.12, as well as FortiProxy versions 2.0.0, 1.2.0 through 1.2.8, 1.1.0 through 1.1.6, and 1.0.0 through 1.0.7. The flaw permits specially crafted HTTP resource requests to bypass directory restrictions and access files outside the intended web portal scope.

An unauthenticated remote attacker can exploit the issue over the network without credentials or user interaction to download arbitrary system files, resulting in high confidentiality and availability impact as reflected in its CVSS 9.1 score.

FortiGuard advisories FG-IR-18-384 and FG-IR-20-233 provide official guidance and patches for the affected Fortinet products. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation.

EU & UK References

Vulnerability details

An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN…

more

web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortiproxy
2.0.0 · ≤ 1.2.9
fortinet
fortios
5.4.6 — 5.4.13 · 5.6.3 — 5.6.8 · 6.0.0 — 6.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates HTTP resource request paths to block traversal sequences that escape the intended SSL VPN web portal directory.

prevent

Enforces access-control policy on portal resources so that unauthenticated requests cannot retrieve files outside the allowed scope.

prevent

Mediates information flows between the SSL VPN portal and the file system, denying unauthorized exfiltration of system files.

References