A threat actor had disclosed the VPN login names and passwords associated with 87,000 Fortinet FortiGate SSL-VPN devices.
Network security solutions provider Fortinet confirmed that these credentials were obtained from systems that remained unpatched against CVE-2018-13379 during the actor’s scan.
Even if they have been patched, if the passwords were not reset, they remain vulnerable.
The company disclosed about the leak when the threat actor leaked a list of Fortinet credentials for free on a new Russian-speaking forum called RAMP that launched in July 2021 and also on Groove ransomware’s data leak site.
The researchers at Advanced Intel stated that breach list contains raw access to the top companies spanning across 74 countries, including India, Taiwan, Italy, France, and Israel. 2,959 out of 22,500 victims are U.S. entities.
CVE-2018-13379 relates to a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext.
The flaw was patched in May 2019, but the security weakness was repeatedly exploited by multiple adversaries to deploy an array of malicious payloads on unpatched devices. So Fortinet was forced to issue a series of advisories in August 2019, July 2020, April 2021, and again in June 2021, urging customers to upgrade affected appliances.
CVE-2018-13379 was also considered as one of the top most exploited flaws in 2020.
Fortinet recommends all companies to immediately disable VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above. They also urge the companies to reset the passwords as they might still be vulnerable if the users’ credentials were previously compromised.