Fortinet Vulnerabilities Being Actively Exploited

Fortinet Vulnerabilities Being Actively Exploited

The FBI and US Cybersecurity and Infrastructure Security Agency issue joint alert: cyber attackers are actively scanning for Fortinet systems that have not been patched. 


US agencies have warned that advanced persistent threat (APT) groups are exploiting Fortinet FortiOS vulnerabilities to compromise systems belonging to government and commercial entities. These vulnerabilities are known and patches have been issued, but unless IT administrators apply the fixes, Fortinet FortiOS builds remain open to compromise.

Fortinet FortiOS, an operating system underpinning Fortinet Security Fabric, is a solution designed to improve enterprise security, covering endpoints, cloud deployments, and centralized networks. The agencies say that three issues are being exploited (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591) as detailed here:

CVE-2018-13379: Issued a CVSS severity score of 9.8, this path traversal vulnerability impacts the FortiOS SSL VPN portal and can permit unauthenticated attackers to download system files through malicious HTTP requests. FortiOS versions 5.4 - 5.4.6 to5.4.12, 5.6 - 5.6.3 to 5.6.7, and 6.0 - 6.0.0 to 6.0.4 are affected. 
CVE-2020-12812: This improper authentication issue, also found in FortiOS SSL VPN, has earned a CVSS score of 9.8 as it permits users to be able to log in without being prompted for second-factor authentication if they change the case of their username. FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below contain this bug. 
CVE-2019-5591: With a CVSS score of 7.5, this vulnerability is a default configuration problem in FortiOS 6.2.0 and below that can allow unauthenticated attackers -- on the same subnet -- to intercept sensitive data by impersonating a LDAPserver. 

According to the advisory, APTs are scanning with a particular focus on open, vulnerable systems belonging to government, technology, and commercial services. 

"The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks," the agencies say. "APTactors may use other CVEs or common exploitation techniques -- such as spear phishing -- to gain access to critical infrastructure networks to pre-position for follow-on attacks."

CVE-2018-13379 was resolved in May 2019,followed by CVE-2019-5591 in July of the same year. A patch was issued forCVE-2020-12812 in July 2020. 

"The security of our customers is our first priority," Fortinet said in a statement. "If customers have not done so, we urge them to immediately implement the upgrade and mitigations."

Article was originally written by Charlie Osborne for Zero Day and published on ZDNet at