Hackers Leak 87,000 Fortinet VPN Passwords

In the latest lesson about the importance of patching, the credentials for 87,000 Fortinet FortiGate VPNs have been posted on a dark web forum by hackers.

Fortinet confirmed the veracity of the hackers’ claims in a blog post today. The network security vendor said the credentials were stolen from systems that remain unpatched against a two-year-old vulnerability – CVE-2018-13379 – or from users who patched that vulnerability but failed to change passwords.

Fortinet said it’s warned customers several times to update affected devices and reset passwords – and the vulnerability was even recently named one of the most exploited by the FBI and CISA. Some of the compromised IP addresses were posted to Github so users can check to see if their VPNs were affected.

In an advisory, Fortinet said the path traversal vulnerability in the FortiOS SSL VPN web portal may allow an attacker to download FortiOS system files through specially crafted HTTP resource requests.

Affected products include FortiOS 6.0 – 6.0.0 to 6.0.4; FortiOS 5.6 – 5.6.3 to 5.6.7; and FortiOS 5.4 – 5.4.6 to 5.4.12; if the SSL VPN service (web-mode or tunnel-mode) is enabled.

Affected users should disable all VPNs (SSL-VPN or IPSEC) before taking the following remediation steps:

  •  Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
  • Treat all credentials as potentially compromised and perform an organization-wide password reset.
  • Implement multi-factor authentication, “which will help mitigate the abuse of any compromised credentials now and in the future,” Fortinet said.

Fortinet added that users should be informed of the issue in case they have reused passwords in other applications.

Unpatched known vulnerabilities were found to be responsible for 60% of breaches in a 2019 Ponemon-ServiceNow study, yet patching remains one of the simplest – and most neglected – cybersecurity controls.

Further reading:

Best Patch Management Software & Tools

Passwordless Authentication 101

How to Defend Common IT Security Vulnerabilities

Paul Shread
eSecurityPlanet Editor Paul Shread has covered nearly every aspect of enterprise technology in his 20+ years in IT journalism, including award-winning articles on endpoint security and virtual data centers. He wrote a column on small business technology for Time.com, and covered financial markets for 10 years, from the dot-com boom and bust to the 2007-2009 financial crisis. He holds a market analyst certification.

Top Products

Top Cybersecurity Companies

Related articles