CVE-2018-13382

CRITICAL KEV RANSOMWARE

FortiProxy < 1.2.9 and FortiOS 5.4.1-5.4.10 - Unauthenticated Password Modification via SSL VPN Web Portal

Title source: llm

Exploitation Summary

CVE-2018-13382 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 10, 2022, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including Ricardo Longatto, milo2012, tumikoto.

AI-analyzed exploit summary This exploit leverages an unauthenticated password modification vulnerability in Fortinet FortiOS SSL VPN. It sends a crafted POST request with a hardcoded 'magic' value to change the password of a specified user.

Description

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests

Exploits (4)

exploitdb WORKING POC

by Ricardo Longatto · pythonwebappshardware

https://www.exploit-db.com/exploits/49074

View Code ZIP pw:eip

This exploit leverages an unauthenticated password modification vulnerability in Fortinet FortiOS SSL VPN. It sends a crafted POST request with a hardcoded 'magic' value to change the password of a specified user.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, 5.4.1 to 5.4.10

No auth needed

Prerequisites: Network access to the FortiOS SSL VPN portal · Knowledge of a valid username

MITRE ATT&CK

T1110.001 - Password Guessing T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 147 stars

by milo2012 · remote

https://github.com/milo2012/CVE-2018-13382

View Code ZIP pw:eip

This PoC exploits CVE-2018-13382, an improper authorization vulnerability in Fortinet FortiOS SSL VPN web portal, allowing unauthenticated password changes via crafted HTTP requests. It checks for target validity, changes the password using a magic keyword, and verifies the new credentials.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, 5.4.1 to 5.4.10

No auth needed

Prerequisites: Network access to the target SSL VPN portal · Valid username for the target system

MITRE ATT&CK

T1110.001 - Password Guessing T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by tumikoto · remote

https://github.com/tumikoto/Exploit-FortinetMagicBackdoor

View Code ZIP pw:eip

This PowerShell script exploits CVE-2018-13382, a backdoor in Fortinet SSL VPN that allows password resets for valid users via a hidden 'magic' parameter. It sends a crafted POST request to change the password of a specified user without authentication.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Fortinet FortiOS SSL VPN (versions affected by CVE-2018-13382)

No auth needed

Prerequisites: Valid username for the target FortiGate SSL VPN · Network access to the SSL VPN interface

MITRE ATT&CK

T1110.001 - Password Guessing T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by cojoben · remote

https://github.com/cojoben/CVE-2018-13382

View Code ZIP pw:eip

This PoC exploits CVE-2018-13382, an authentication bypass vulnerability in Fortinet FortiOS SSL VPN. It allows an attacker to change the password of any user without knowing the original password by leveraging a 'magic' keyword in the request.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Fortinet FortiOS SSL VPN (versions affected by CVE-2018-13382)

No auth needed

Prerequisites: Network access to the FortiOS SSL VPN interface · Valid username to target for password change

MITRE ATT&CK

T1110.001 - Password Guessing T1556.004 - Network Device Authentication

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13382

Vendor Advisory x_refsource_confirm

https://fortiguard.com/advisory/FG-IR-18-389

Vendor Advisory x_refsource_confirm

https://www.fortiguard.com/psirt/FG-IR-20-231

Scores

CVSS v3 9.1

EPSS 0.8169

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-01-10

VulnCheck KEV 2019-10-02

InTheWild.io 2019-09-02

ENISA EUVD EUVD-2018-5326

Ransomware Use Confirmed

CWE

CWE-863

Status published

Products (3)

fortinet/fortios 5.4.1 - 5.4.11

fortinet/fortiproxy 2.0.0

fortinet/fortiproxy < 1.2.9

Published Jun 04, 2019

KEV Added Jan 10, 2022

Tracked Since Feb 18, 2026