CVE DATABASE / CVE-2018-13379
CVE-2018-13379
Fortinet FortiOS SSL VPN Path Traversal Vulnerability
Confirmed exploited in the wild. Added 2021-11-03.
Federal remediation due 2022-05-03.
Required action: Apply updates per vendor instructions.
Summary
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
CVSS 3.1 breakdown
| Base score | 9.1 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | NONE |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://fortiguard.com/advisory/FG-IR-18-384
- https://www.fortiguard.com/psirt/FG-IR-20-233
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13379
Data: NIST NVD + CISA KEV. NVD last modified 2025-10-24. Always verify against the vendor advisory before acting.