Hackers Leak 87,000 Fortinet VPN Passwords

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

In the latest lesson about the importance of patching, the credentials for 87,000 Fortinet FortiGate VPNs have been posted on a dark web forum by hackers.

Fortinet confirmed the veracity of the hackers’ claims in a blog post today. The network security vendor said the credentials were stolen from systems that remain unpatched against a two-year-old vulnerability – CVE-2018-13379 – or from users who patched that vulnerability but failed to change passwords.

Fortinet said it’s warned customers several times to update affected devices and reset passwords – and the vulnerability was even recently named one of the most exploited by the FBI and CISA. Some of the compromised IP addresses were posted to Github so users can check to see if their VPNs were affected.

In an advisory, Fortinet said the path traversal vulnerability in the FortiOS SSL VPN web portal may allow an attacker to download FortiOS system files through specially crafted HTTP resource requests.

Affected products include FortiOS 6.0 – 6.0.0 to 6.0.4; FortiOS 5.6 – 5.6.3 to 5.6.7; and FortiOS 5.4 – 5.4.6 to 5.4.12; if the SSL VPN service (web-mode or tunnel-mode) is enabled.

Affected users should disable all VPNs (SSL-VPN or IPSEC) before taking the following remediation steps:

  •  Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
  • Treat all credentials as potentially compromised and perform an organization-wide password reset.
  • Implement multi-factor authentication, “which will help mitigate the abuse of any compromised credentials now and in the future,” Fortinet said.

Fortinet added that users should be informed of the issue in case they have reused passwords in other applications.

Unpatched known vulnerabilities were found to be responsible for 60% of breaches in a 2019 Ponemon-ServiceNow study, yet patching remains one of the simplest – and most neglected – cybersecurity controls.

Further reading:

Best Patch Management Software & Tools

Passwordless Authentication 101

How to Defend Common IT Security Vulnerabilities

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Paul Shread Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis