Nearly 87,000 username and password combinations for FortiGate SSL-VPN devices have been compromised by threat actors according to Fortinet. A list of the usernames and passwords were subsequently leaked for free on a relatively new Russian language cybercrime forum RAMP, as well as the leak site for Groove ransomware. In a statement a Fortinet spokesperson said “These credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor’s scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable.” CVE-2018-13379 essentially allows unauthorized parties the ability to see usernames and passwords stored in plaintext by viewing the session file. It may come as surprise that a vulnerability from 2018 is still making waves today, but Fortinet has been sending out advisories since August of 2019 and in 2020, it was one of the most exploited vulnerabilities out there.
Situations like these simply highlight the importance of implementing patches when they are made available, but instead a three-year-old vulnerability is still affecting people to this day. Fortinet has suggested that all unpatched Fortinet VPNs should be disabled and upgraded to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above followed by initiating an organization-wide password reset, warning that “you may remain vulnerable post-upgrade if your users’ credentials were previously compromised.” If available, Multi-Factor Authentication (MFA) should always be used along with a strong previously unused password.