CVE-2018-13382

CVE Database · CVE-2018-13382

CVE-2018-13382

· CRITICALAnalyzed

CVSS v3.1

9.1

EPSS

81.69%

Published

Jun 4, 2019

Modified

Oct 24, 2025

CISA Known Exploited Vulnerability

Added: 2022-01-10 · Due: 2022-07-10

Apply updates per vendor instructions.

Public PoC / Exploit (5)

All weaponized →

Exploit-DBFortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification TrickestTrickest PoC index GitHub PoCmilo2012/CVE-2018-13382★146 GitHub PoCtumikoto/Exploit-FortinetMagicBackdoor★1 GitHub PoCcojoben/CVE-2018-13382★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Weaknesses (CWE)

CWE-863CWE-863

Affected Products (5)

fortinet · fortiproxy (up to 1.2.9)vulnerable

fortinet · fortiproxyvulnerable

fortinet · fortios (up to 5.4.11)vulnerable

fortinet · fortios (up to 5.6.9)vulnerable

fortinet · fortios (up to 6.0.5)vulnerable

References (5)

https://fortiguard.com/advisory/FG-IR-18-389