CVE-2013-1414

FortiOS < 4.3.13 and 5.x < 5.0.2 - Cross-Site Request Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-1414. PoCs published by Sven Wurth.

AI-analyzed exploit summary This PoC demonstrates a CSRF vulnerability in Fortinet Firewalls, allowing an attacker to perform actions like rebooting the device by tricking an authenticated administrator into visiting a malicious page. The exploit leverages the lack of CSRF tokens in certain functions.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Fortinet FortiOS on FortiGate firewall devices before 4.3.13 and 5.x before 5.0.2 allow remote attackers to hijack the authentication of administrators for requests that modify (1) settings or (2) policies, or (3) restart the device via a rebootme action to system/maintenance/shutdown.

Exploits (1)

exploitdb WORKING POC
by Sven Wurth · textwebappshardware
https://www.exploit-db.com/exploits/26528

This PoC demonstrates a CSRF vulnerability in Fortinet Firewalls, allowing an attacker to perform actions like rebooting the device by tricking an authenticated administrator into visiting a malicious page. The exploit leverages the lack of CSRF tokens in certain functions.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Fortinet Firewalls < 4.3.13 & < 5.0.2
Auth required
Prerequisites: Knowledge of the victim's IP address · Authenticated administrator session
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/26528/

Scores

EPSS 0.0229
EPSS Percentile 81.1%

Details

CWE
CWE-352
Status published
Products (33)
fortinet/fortigate-1000c
fortinet/fortigate-100d
fortinet/fortigate-110c
fortinet/fortigate-1240b
fortinet/fortigate-200b
fortinet/fortigate-20c
fortinet/fortigate-300c
fortinet/fortigate-3040b
fortinet/fortigate-310b
fortinet/fortigate-311b
... and 23 more
Published Jul 08, 2013
Tracked Since Feb 18, 2026