CVE-2018-13374

MEDIUM KEV RANSOMWARE

FortiOS < 6.0.3 and FortiADC 5.4.0-5.4.4 - LDAP Server Credential Exposure via Connectivity Test Request

Title source: llm

Exploitation Summary

CVE-2018-13374 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 8, 2022, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including Julio Ureña, Justjeff211.

AI-analyzed exploit summary This exploit leverages CVE-2018-13374 to capture LDAP credentials from FortiGate devices by manipulating the LDAP server configuration via an authenticated API request. It sets up a listener to intercept credentials sent by the FortiGate device.

Description

A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Julio Ureña · pythonwebappshardware

https://www.exploit-db.com/exploits/46171

View Code ZIP pw:eip

This exploit leverages CVE-2018-13374 to capture LDAP credentials from FortiGate devices by manipulating the LDAP server configuration via an authenticated API request. It sets up a listener to intercept credentials sent by the FortiGate device.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: FortiGate (versions affected by CVE-2018-13374)

Auth required

Prerequisites: Valid credentials for FortiGate · Network access to the FortiGate device · LDAP configured on the FortiGate device

MITRE ATT&CK

T1187 - Forced Authentication T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by Justjeff211 · poc

https://github.com/Justjeff211/conti-ransomware-writeup

View Code ZIP pw:eip

This repository contains a detailed technical write-up of a Conti ransomware compromise, focusing on the exploitation of CVE-2018-13374 among other vulnerabilities. The analysis includes log correlation, malware analysis, and incident response methodologies, supported by visual evidence.

Classification

Writeup 90%

Attack Type

Other

Complexity

Complex

Reliability

Reliable

Target: Microsoft Exchange Server

No auth needed

Prerequisites: Access to Splunk logs · Windows Security logs · Sysmon logs · IIS logs

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (2)

Core 2

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13374

Vendor Advisory x_refsource_confirm

https://fortiguard.com/advisory/FG-IR-18-157

Scores

CVSS v3 4.3

EPSS 0.3809

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact partial

Details

CISA KEV 2022-09-08

VulnCheck KEV 2021-02-16

InTheWild.io 2022-01-27

ENISA EUVD EUVD-2018-5318

Ransomware Use Confirmed

CWE

CWE-732

Status published

Products (3)

fortinet/fortiadc 6.1.0

fortinet/fortiadc 5.4.0 - 5.4.5

fortinet/fortios < 6.0.3

Published Jan 22, 2019

KEV Added Sep 08, 2022

Tracked Since Feb 18, 2026