Improper Access Control in Fortinet FortiOS and FortiADC Products
CVE-2018-13374

4.3MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortinet FortiOS, Fortiadc
Vendor: CVE Published:; 22 January 2019

Badges

💰 Ransomware👾 Exploit Exists🦅 CISA Reported

Summary

An improper access control vulnerability exists in Fortinet's FortiOS and FortiADC products that allows an attacker to obtain sensitive LDAP server login credentials. This occurs when a malicious actor points an LDAP server connectivity test request to a rogue LDAP server, instead of the intended configuration. Organizations utilizing affected versions should take immediate action to secure their systems and avoid potential data breaches.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

Fortinet FortiOS, fortiADC FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4

References

https://fortiguard.com/advisory/FG-IR-18-157

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

💰
Used in Ransomware
Sep 8, 2022
👾
Exploit known to exist
Sep 8, 2022
🦅
CISA Reported
Sep 8, 2022
Vulnerability published
Jan 22, 2019
Vulnerability Reserved
Jul 6, 2018