A hacker known online as “pumpedkicks” has posted online a list of one-line exploits that could be used to steal VPN credentials from nearly 50,000 Fortinet VPN devices. The list contains 49,577 IPs vulnerable to Fortinet SSL VPN CVE-2018-13379, according to researchers from Bank Security, who first noticed the leak.
The list of vulnerable targets includes domains belonging to large enterprises, financial institutions, and government organizations from all over the world.
CVE-2018-13379 is a path traversal issue in FortiOS SSL VPN web portal, which allows a remote attacker to conduct directory traversal attack and download arbitrary files from FortiOS SSL VPN web portal, upload malicious files on unpatched systems, and take over Fortinet VPN servers.
According to security researcher Ax Sharma, who examined the exploit shared by “pumpedkicks,” the exploit could allow attackers to access the sslvpn_websession files from FortiNet VPNs to steal login credentials, which then could be used to compromise a network and deploy malware.
Although the flaw was disclosed more than a year ago, many organizations have yet to patch their systems despite multiple warnings from security experts. One of the more recent warnings is a joint alert released by the FBI and CISA last month highlighting attacks on the US state, local, tribal and territorial government networks in which sophisticated hackers are combining VPN and Windows vulnerabilities.