CVE-2018-13379

Vulnerability updated 7 months ago (2024-05-04T19:17:35.078Z)

Download STIX

Preview STIX

CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 2020 and 2021. It is one of the oldest vulnerabilities still being actively exploited, dating back to 2018. It's particularly notable for its role in facilitating initial access to victim networks by threat actors. The Play ransomware group has been known to exploit this vulnerability, among others, as part of their attack strategy. They typically gain initial access to victim networks by abusing valid accounts and exploiting public-facing applications. Specifically, they have exploited known vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and CVE-2022-41082). The Fortinet SSL VPN vulnerability (CVE-2018-13379) was the most routinely exploited bug last year, followed by the ProxyShell bugs and a flaw in Zoho ADSelfService Plus (CVE-2021-40539). More recently, an Advanced Persistent Threat (APT) actor leveraged the Fortinet VPN vulnerability (CVE-2018-13379) for initial network access and a Windows Netlogon vulnerability (CVE-2020-1472) to gain access to Windows Active Directory servers for privilege escalation within the network. These ongoing exploitations underscore the importance of patching even older vulnerabilities like CVE-2018-13379, as they continue to present significant security risks.

Description last updated: 2024-05-04T18:19:13.742Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Vulnerability

Ransomware

Fortios

Vpn

Adlumin

T1078

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The POLONIUM Threat Actor is associated with CVE-2018-13379. Polonium is a threat actor group, believed to be based in Lebanon, that has been responsible for significant cyberattacks on Israel's operational technology (OT) and critical infrastructure. In December, Israel's National Cyber Directorate issued warnings that Polonium had targeted critical sectors	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Proxyshell Vulnerability is associated with CVE-2018-13379. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT ac	Unspecified	2
The CVE-2022-41040 Vulnerability is associated with CVE-2018-13379. CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism	Unspecified	2
The CVE-2022-41082 Vulnerability is associated with CVE-2018-13379. CVE-2022-41082 is a critical software vulnerability discovered in Microsoft Exchange Servers, which allows for Remote Code Execution (RCE). This flaw is one of two zero-day vulnerabilities found, the other being CVE-2022-41040. The RCE vulnerability presents a significant threat as it enables attack	Unspecified	2
The vulnerability CVE-2020-12812 is associated with CVE-2018-13379.	Unspecified	2
The Proxynotshell Vulnerability is associated with CVE-2018-13379. ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t	Unspecified	2
The Log4Shell Vulnerability is associated with CVE-2018-13379. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorized	Unspecified	2

Source Document References

Information about the CVE-2018-13379 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CISA	6 days ago	2023 Top Routinely Exploited Vulnerabilities \| CISA
CERT-EU	a year ago	Emerging Threat: What to Know About the Play Ransomware Group
InfoSecurity-magazine	4 months ago	Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
CERT-EU	9 months ago	Sensor Intel Series: Top CVEs in December 2023
DARKReading	10 months ago	'Midnight Blizzard' Breached HPE Email Months Before Microsoft Hack
CERT-EU	10 months ago	Infographic: A History of Network Device Threats and What Lies Ahead
CERT-EU	10 months ago	Infographic: A History of Network Device Threats and What Lies Ahead \| #ransomware \| #cybercrime \| National Cyber Security Consulting
BankInfoSecurity	a year ago	Breach Roundup: MongoDB Blames Phishing Email for Breach
CISA	a year ago	#StopRansomware: Play Ransomware \| CISA
CERT-EU	a year ago	Play Ransomware: SafeBreach Coverage for US-CERT Alert (AA23-352A)
MITRE	a year ago	Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 \| Microsoft Security Blog
DARKReading	a year ago	Iran Threatens Israel's Critical Infrastructure With 'Polonium' Proxy
CERT-EU	a year ago	Ransomware Dwell Time Hits Low of 24 Hours \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Sensor Intel Series: Top CVEs in October 2023
CERT-EU	a year ago	Cybercriminals can go from click to compromise in less than a day \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	PLAY Cyber Attack: 6 New Victims Targeted In Ransom Attack
CERT-EU	a year ago	Sensor Intel Series: Top CVEs in August 2023 \| F5 Labs
BankInfoSecurity	a year ago	Feds Urge Immediate Patching of Zoho and Fortinet Products
BankInfoSecurity	a year ago	Feds Urge Immediately Patching of Zoho and Fortinet Products
CERT-EU	a year ago	Qualys Top 20 Exploited Vulnerabilities \| Qualys Security Blog