CVE-2018-13379

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 2020 and 2021. It is one of the oldest vulnerabilities still being actively exploited, dating back to 2018. It's particularly notable for its role in facilitating initial access to victim networks by threat actors. The Play ransomware group has been known to exploit this vulnerability, among others, as part of their attack strategy. They typically gain initial access to victim networks by abusing valid accounts and exploiting public-facing applications. Specifically, they have exploited known vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and CVE-2022-41082). The Fortinet SSL VPN vulnerability (CVE-2018-13379) was the most routinely exploited bug last year, followed by the ProxyShell bugs and a flaw in Zoho ADSelfService Plus (CVE-2021-40539). More recently, an Advanced Persistent Threat (APT) actor leveraged the Fortinet VPN vulnerability (CVE-2018-13379) for initial network access and a Windows Netlogon vulnerability (CVE-2020-1472) to gain access to Windows Active Directory servers for privilege escalation within the network. These ongoing exploitations underscore the importance of patching even older vulnerabilities like CVE-2018-13379, as they continue to present significant security risks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Vulnerability
Ransomware
T1078
Fortios
Vpn
Adlumin
T1190
Apt
exploited
Windows
Esxi
Papercut
Fortiguard
Rmm
Fortinet
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockbitUnspecified
1
LockBit is a significant malware operation, first surfacing in September 2019 and becoming one of the most active ransomware groups by 2022. Operating under a Ransomware-as-a-Service (RaaS) model, LockBit recruited affiliates to execute attacks using its tools and infrastructure. From its first obse
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
POLONIUMUnspecified
2
Polonium is a threat actor group, believed to be based in Lebanon, that has been responsible for significant cyberattacks on Israel's operational technology (OT) and critical infrastructure. In December, Israel's National Cyber Directorate issued warnings that Polonium had targeted critical sectors
PhosphorusUnspecified
1
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-41040Unspecified
2
CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism
CVE-2022-41082Unspecified
2
CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack
CVE-2020-12812Unspecified
2
None
ProxynotshellUnspecified
2
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
ProxyshellUnspecified
2
ProxyShell is a chain of three vulnerabilities (tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that affect Microsoft Exchange email servers. These vulnerabilities allow unauthenticated attackers to gain administrator access and execute remote code on unpatched servers. Discovered in
Log4ShellUnspecified
2
Log4Shell is a critical software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) in the logging feature of the Java programming language, known as Log4j. This flaw was publicly disclosed on December 9, 2021, impacting millions of devices and applications globally, including those
Proxynotshell Cve-2022-41040Unspecified
1
None
FollinaUnspecified
1
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
Proxynotshell CveUnspecified
1
None
CVE-2020-1472Unspecified
1
CVE-2020-1472, also known as the ZeroLogon vulnerability, is a critical-severity privilege escalation flaw in Microsoft's Netlogon Remote Protocol. It was patched by Microsoft on August 11, 2020. This vulnerability allows attackers to gain administrative access to a Windows domain controller without
CVE-2021-31207Unspecified
1
None
CVE-2021-34473Unspecified
1
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to
CVE-2021-34523Unspecified
1
None
CVE-2021-40539Unspecified
1
None
Source Document References
Information about the CVE-2018-13379 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
PLAY Cyber Attack: 6 New Victims Targeted In Ransom Attack
CISA
6 months ago
#StopRansomware: Play Ransomware | CISA
Malwarebytes
10 months ago
2022's most routinely exploited vulnerabilities—history repeats
BankInfoSecurity
10 months ago
Play Ransomware Using MSPs and N-Days to Attack
MITRE
a year ago
Exposing POLONIUM activity and infrastructure targeting Israeli organizations - Microsoft Security Blog
CERT-EU
10 months ago
Play Ransomware Targets Victims Via MSPs’ RMM Software
CERT-EU
10 months ago
Five Eyes Agencies Call Attention to Most Frequently Exploited Vulnerabilities
Recorded Future
a year ago
Semiconductor Companies Targeted by Ransomware | Recorded Future
BankInfoSecurity
10 months ago
Patching Conundrum: 5-Year Old Flaw Again Tops Most-Hit List
CERT-EU
6 months ago
Ransomware Dwell Time Hits Low of 24 Hours | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
a year ago
LockBit Ransomware Gang Earned $91 Million Ever Since It Discovered
Fortinet
a year ago
Meet LockBit: The Most Prevalent Ransomware in 2022 | FortiGuard Labs
DARKReading
6 months ago
Iran Threatens Israel's Critical Infrastructure With 'Polonium' Proxy
BankInfoSecurity
10 months ago
Patching Conundrum: 4-Year Old Flaw Again Tops Most-Hit List
MITRE
6 months ago
Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 | Microsoft Security Blog
DARKReading
10 months ago
'Play' Ransomware Group Targeting MSPs Worldwide in New Campaign
CERT-EU
10 months ago
Five Eyes nations list 12 most exploited vulnerabilities
BankInfoSecurity
6 months ago
Breach Roundup: MongoDB Blames Phishing Email for Breach
CERT-EU
10 months ago
Play Ransomware Using MSPs and N-Days to Attack
CERT-EU
5 months ago
Infographic: A History of Network Device Threats and What Lies Ahead | #ransomware | #cybercrime | National Cyber Security Consulting