Malicious Actor Discloses FortiGate SSL-VPN Credentials

By Carl Windsor | September 08, 2021

Fortinet has become aware that a malicious actor has recently disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN devices. These credentials were obtained from systems that remained unpatched against FG-IR-18-384 / CVE-2018-13379 at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable.

This incident is related to an old vulnerability resolved in May 2019. At that time, Fortinet issued a PSIRT advisory and communicated directly with customers. And because customer security is our top priority, Fortinet subsequently issued multiple corporate blog posts detailing this issue, strongly encouraging customers to upgrade affected devices. In addition to advisories, bulletins, and direct communications, these blogs were published in August 2019July 2020,  April 2021, and again in June 2021.

Fortinet is reiterating that, if at any time your organization was running any of the affected versions listed below, even if you have upgraded your devices, you must also perform the recommended user password reset following upgrade, as per the customer support bulletin and other advisory information. Otherwise, you may remain vulnerable post-upgrade if your users' credentials were previously compromised.

Again, if at any time your organization was running an affected version listed in the original advisory, Fortinet recommends immediately taking the following steps to ensure your credentials cannot be abused.

  1. Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.
  2. Immediately upgrade affected devices to the latest available release, as detailed below.
  3. Treat all credentials as potentially compromised by performing an organization-wide password reset.
  4. Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.
  5. Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.

Recommended Upgrade:

Upgrade to FortiOS 5.4.13, 5.6.14, 6.0.13, or 6.2.9 and above.

These are the most recent releases for all originally impacted releases. They also contain additional recommended fixes.


For more information, please immediately refer to our May 2019 advisory, as well as previous communications, including our Customer Support Bulletin (CSB-200716-1) and detailed PSIRT blog published on July 16, 2020.

Security Hygiene is Step One. We're Here to Help

The security landscape is constantly evolving, and maintaining all systems—especially security devices—is essential to staying ahead of cybercriminals. Like most vendors, Fortinet provides customers with support and regular firmware updates to fix issues such as those documented here. However, it remains clear that some organizations do not take advantage of these services nor consistently patch critical systems.

There can be many reasons why patching may be deferred or not completed. The inability to take critical systems offline for patching due to safety or other concerns, onerous testing requirements for new updates, and even understaffed or inexperienced security teams can all play a role. Our online and local technical support experts are available to provide guidance. But for those running affected systems that cannot take immediate remediation steps, Fortinet recommends immediately disabling all SSL-VPN functions until updates can be applied.

At Fortinet, we are on a constant journey with our customers to best protect and secure their organizations. We welcome feedback on how we can better work together in this ongoing process. Please contact PSIRT via our Web Submission form if you have any suggestions or feedback.

You can also use this link to learn details about our current Fortinet PSIRT Policy and how to submit a potential vulnerability to the PSIRT team.