Overview
A critical path traversal vulnerability in Fortinet FortiOS and FortiProxy SSL VPN web portal allows unauthenticated attackers to download arbitrary system files through crafted HTTP requests. This vulnerability has been extensively exploited in the wild and is listed in the CISA Known Exploited Vulnerabilities catalog. The vulnerability was disclosed on June 4, 2019. CISA has identified CVE-2018-13379 as being exploited and is known to be used in ransomware campaigns.
Technical details
The FortiOS SSL VPN web portal fails to properly validate and sanitize HTTP request paths, allowing attackers to use path traversal sequences (such as '../' and encoded variants) to access files outside the intended web root directory. This affects both the FortiOS operating system and FortiProxy appliances, which share similar vulnerable code in their SSL VPN implementations. The vulnerability does not require authentication and can be exploited remotely via standard HTTP GET or POST requests.
The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) .
The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating its high nature.
Impact
Attackers can download sensitive system files from the affected FortiOS or FortiProxy appliances without authentication. This includes configuration files, system databases, logs, SSL certificates, and potentially authentication credentials. Particularly critical is the ability to extract the FortiOS system configuration file (typically located at /etc/config/system.conf or similar) which may contain administrative credentials, VPN user accounts, and other sensitive configuration data. The extracted information can be used for further attacks, privilege escalation, or lateral movement within target networks. This vulnerability has been actively exploited by multiple threat actors since its public disclosure.
Mitigation and workarounds
Apply the security patches from Fortinet immediately. Visit https://www.fortinet.com/support/product-downloads for the latest firmware versions. For FortiOS, ensure your appliance is updated to a patched version. For managed devices, this may require coordination with your managed service provider. The following versions include the necessary fixes: FortiOS 6.0.5 and later, FortiOS 5.6.8 and later, FortiOS 5.4.13 and later, FortiProxy 2.0.1 and later, FortiProxy 1.2.9 and later, FortiProxy 1.1.7 and later, FortiProxy 1.0.8 and later.
As temporary workarounds: restrict network access to the ssl vpn portal to trusted ip addresses or networks using firewall rules. implement ip-based access control lists (acls) that limit which hosts can reach the ssl vpn web interface.; disable the ssl vpn web portal if not required for business operations. some organizations may be able to use vpn client software exclusively instead of the web portal., and monitor access logs for suspicious patterns indicating exploitation attempts, such as requests containing '../' or url-encoded path traversal sequences (e.g., '..%2f', '..%5c')..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
