CVE-2018-13379 Explained: Fortinet FortiGate VPN Path Traversal and Credential Exposure
A CVSS 9.8 pre-authentication path traversal in Fortinet FortiOS SSL VPN. Credentials from tens of thousands of devices posted publicly. Exploited years after patching.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2018-13379 is a pre-authentication path traversal vulnerability in the Fortinet FortiOS SSL VPN web portal. Disclosed in May 2019, it scores 9.8 on the CVSS v3 scale. An unauthenticated attacker with network access to the VPN portal can craft a URL that causes the FortiGate appliance to read and return arbitrary files from its filesystem, including session files containing plaintext VPN credentials.
The vulnerability's exploitation lifecycle extended years beyond patching. In September 2021, a threat actor published a list of 87,000 FortiGate VPN credentials extracted via CVE-2018-13379. Analysis confirmed that many of the listed devices had been patched, but their credentials had never been rotated after the exploitation window, leaving them permanently exposed.
The Path Traversal: How Credentials Are Extracted
The Fortinet FortiOS SSL VPN web portal handles HTTP requests for various portal resources. In vulnerable versions, the URL routing logic fails to sanitize path traversal sequences before resolving the requested file path against the filesystem.
By injecting directory traversal sequences (/../) into the URL path, an unauthenticated attacker can navigate outside the intended web root and access system files. The most sensitive target is the FortiOS session file at /dev/cmdb/sslvpn_websession, which stores active and recently active VPN session data including plaintext credentials for users authenticated to the SSL VPN.
A single HTTP GET request to a crafted URL extracts this session file. No authentication, no valid session cookie, and no prior interaction with the device is required. Automated scanners can identify and extract credentials from vulnerable FortiGate devices at internet scale within hours.
Affected versions include FortiOS 6.0.0 through 6.0.4, FortiOS 5.6.3 through 5.6.7, and FortiOS 5.4.6 through 5.4.12. The SSL VPN portal (web-mode) must be enabled for exploitation, a common deployment configuration.
Identify exposed FortiGate SSL VPN portals
Scan for Fortinet FortiGate SSL VPN web portals exposed on HTTPS port 443. The login page is distinctive, with Fortinet branding and SSL VPN portal elements. Shodan and Censys indexes list tens of thousands of exposed appliances.
Send path traversal request
Send an unauthenticated GET request with path traversal sequences targeting the SSL VPN session file. The response body contains the raw session file data, no authentication or session token required.
Extract plaintext credentials
Parse the session file for username and password fields. Credentials stored in the session file are accessible in plaintext or easily reversible format for recently authenticated VPN users.
Authenticate to the VPN
Use the extracted credentials to authenticate to the FortiGate SSL VPN as the compromised user. Gain internal network access equivalent to that user's VPN permissions, often unrestricted access to corporate internal networks.
Lateral movement and persistence
Use the established VPN connection as a launchpad for internal reconnaissance and lateral movement. The connection appears as a legitimate VPN session from the user's credentials, complicating detection.
The 2021 Data Dump: Why Patched Devices Still Had Exposed Credentials
In September 2021, a threat actor published 87,000+ FortiGate VPN credentials on a cybercriminal forum. Fortinet investigated and confirmed the credentials were obtained via CVE-2018-13379. Critically, Fortinet also confirmed that many of the listed devices were running patched FortiOS versions.
This apparent paradox has a straightforward explanation: the patch fixed the path traversal vulnerability, preventing future credential extraction. But it did not invalidate credentials that had already been extracted before or after patching. Users whose credentials were captured during the exploitation window continued to have the same passwords, making the stolen credentials permanently valid for VPN authentication until the passwords were changed.
The 2021 publication represented a threat actor releasing a credential database that may have been collected over an extended period, including during mass exploitation campaigns running in 2019 and 2020. Recipients of that published list could authenticate to FortiGate VPNs using credentials that were years old, because the underlying account passwords had never been changed.
Nation-state actors attributed to Chinese and Iranian groups were among those identified exploiting CVE-2018-13379. CISA's March 2020 advisory (AA20-073A) specifically called out active APT exploitation for initial access to government and commercial sector targets.
“If CVE-2018-13379 has not been patched, we recommend assuming the device has been compromised. Additionally, we recommend changing passwords even if the device has been patched, as credentials may have already been exfiltrated.”
Fortinet PSIRT, September 2021
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Patching and Fully Remediating CVE-2018-13379
Fortinet released patches in May 2019. If you are still running vulnerable FortiOS versions, take immediate action. If you have patched but not rotated credentials, you remain at risk from already-extracted credentials.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2018-13379 and its multi-year exploitation arc illustrate the hidden duration of credential compromise. The vulnerability was patched in 2019. Credentials were still being used for unauthorized access in 2021, two years later, because patching a file read vulnerability does not change the passwords that were read.
VPN credentials are high-value because they provide direct network access. In organizations with split-tunnel or full-tunnel VPN configurations providing unrestricted internal access, a single valid credential represents a complete network perimeter bypass. APTs use exactly this access vector because it is silent, authenticated, and difficult to distinguish from legitimate employee connections.
The complete remediation for any credential-exposing vulnerability is patch plus mandatory credential rotation plus investigation. Two of those three steps are consistently overlooked. All three are required.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2018-13379 and how are credentials stolen?
CVE-2018-13379 is a CVSS 9.8 pre-authentication path traversal in Fortinet FortiOS SSL VPN. An unauthenticated attacker sends a crafted HTTP GET request with directory traversal sequences that cause the FortiGate appliance to return the SSL VPN session file (/dev/cmdb/sslvpn_websession), which contains plaintext credentials for recently authenticated VPN users. No login is required. Automated scanners could extract credentials from vulnerable devices at internet scale within hours of the public advisory.
How do I fix CVE-2018-13379?
Upgrade FortiOS to 6.0.5, 5.6.8, 5.4.13, or any later release. Critically, patch alone is insufficient, you must require all VPN users to change their passwords regardless of whether you believe the device was exploited. Credentials extracted before or during the patch window may still be valid for VPN authentication. Also enable MFA on all FortiGate SSL VPN access to ensure stolen credentials cannot be used without a second factor.
Why were 87,000 FortiGate credentials published in 2021 if the patch was released in 2019?
In September 2021, a threat actor published a database of 87,000+ FortiGate VPN credentials extracted via CVE-2018-13379. Fortinet confirmed many listed devices were running patched firmware, the patch fixed the file read, but did not change the passwords that had already been stolen. Users who hadn't changed their VPN passwords since the 2019 exploitation window still had valid credentials in the attacker's database, enabling authentication to patched devices years after the vulnerability was closed.
Which nation-state groups exploited CVE-2018-13379 and what were their targets?
CISA Advisory AA20-073A confirmed that advanced persistent threat (APT) actors attributed to China and Iran exploited CVE-2018-13379 for initial access to US government agencies, defense contractors, healthcare organizations, and critical infrastructure. Iranian threat groups (Phosphorus/APT35) used FortiGate VPN access for persistent espionage and pre-positioning for disruptive operations. Chinese APT groups used it for intellectual property theft. The vulnerability was also listed in a 2021 joint advisory as one of the top five vulnerabilities routinely exploited by Chinese state-sponsored actors.
How do I check if my FortiGate SSL VPN is still vulnerable to CVE-2018-13379?
Check your FortiOS firmware version by running `get system status` in the FortiGate CLI and looking for the Version field. Versions 6.0.0 through 6.0.4, 5.6.3 through 5.6.7, and 5.4.6 through 5.4.12 with SSL VPN portal mode enabled are vulnerable. Patched versions are 6.0.5 and later, 5.6.8 and later, 5.4.13 and later. Additionally, verify that your FortiOS instance is running a post-2019 firmware build by checking the release date. Any FortiGate running a build older than the patch releases should be treated as compromised regardless of current exploitation indicators.
Does patching CVE-2018-13379 prevent further credential theft from the 2021 leak list?
Patching prevents future credential extraction via the path traversal but does nothing to protect credentials already in the 2021 published database. If your FortiGate's IP address appeared in the September 2021 leak, your users' VPN credentials from that era are in attacker hands regardless of current patch status. Mandatory password rotation for all VPN users is the only remediation for already-stolen credentials. Even if your organization's FortiGate was not in the published list, it may have been included in non-public credential databases collected during the same exploitation campaigns.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
