Cyber Resilience

CVE-2018-13382

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 04 June 2019

Published
04 June 2019
Modified
24 October 2025
KEV Added
10 January 2022
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.8708 99.5th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-13382 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Fortinet Fortios. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).

Deeper analysis

CVE-2018-13382 is an improper authorization vulnerability, tracked under CWE-863, that affects the SSL VPN web portal in Fortinet FortiOS versions 6.0.0 through 6.0.4, 5.6.0 through 5.6.8, and 5.4.1 through 5.4.10, as well as FortiProxy versions 2.0.0, 1.2.0 through 1.2.8, 1.1.0 through 1.1.6, and 1.0.0 through 1.0.7. The flaw carries a CVSS v3.1 score of 9.1 and permits unauthorized changes to user credentials through the web portal interface.

An unauthenticated remote attacker can exploit the issue over the network by sending specially crafted HTTP requests to the SSL VPN web portal, enabling modification of an affected user's password. Successful exploitation grants the attacker the ability to change credentials without authentication, resulting in high impact to confidentiality and integrity while availability remains unaffected.

Official Fortinet advisories FG-IR-18-389 and FG-IR-20-231 address the vulnerability and are referenced alongside the CISA Known Exploited Vulnerabilities catalog entry, confirming active exploitation in the wild. Security practitioners should apply the patches or mitigations detailed in those advisories for the listed FortiOS and FortiProxy releases.

EU & UK References

Vulnerability details

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify…

more

the password of an SSL VPN web portal user via specially crafted HTTP requests

CWE(s)
KEV Date Added
10 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortiproxy
2.0.0 · ≤ 1.2.9
fortinet
fortios
5.4.1 — 5.4.11 · 5.6.0 — 5.6.9 · 6.0.0 — 6.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on all requests to the SSL VPN web portal before permitting password modifications, blocking the unauthenticated changes described in the CVE.

prevent

Requires explicit account-management authorization for password changes, preventing the unauthorized credential modifications allowed by the improper authorization flaw.

prevent

Mandates identification and authentication of non-organizational users before any privileged actions such as password changes on the SSL VPN portal.

References