A hacker has published a list of one-line exploits aimed at theft credentials of approximately 50.000 Fortinet VPNs Appliances. The list of vulnerable targets includes domains owned by banks and government agencies around the world. The vulnerability reported is CVE-2018-13379, a path-traversal vulnerability affecting a large number of unmatched devices Fortinet FortiOS SSL VPN. Taking advantage of this vulnerability, the hackers can acquire access in system files via specially processed HTTP requests.
The exploits posted by the hacker allow access to files sslvpn_websession from Fortinet VPNs and stealing connection credentials. The stolen credentials can then be used to breach a network, as well as to develop ransomware. Although the 2018 vulnerability was publicly revealed a year ago, researchers have identified about 50.000 targets that are still vulnerable to attacks.
Last week, the threat intelligence analyst Bank_Security found a thread in a hacking forum, in which a cybercriminal shared a list of devices of about 50.000 such exploitable targets. After analyzing the list, it was found that among the vulnerable targets are government sectors from around the world, including banks and financial services companies.
According to BleepingComputer, of the 50.000 domains, most belonged to banking, financial and government agencies. In addition, the Bank Security analyst told BleepingComputer that after seeing the hacker post on the forum, he began analyzing the list of IPs to determine if and to what extent the targeted organizations were affected. The analyst tried to identify the domain names associated with high-profile organizations and banks.
The analyst also pointed out that although this is an old and well-known vulnerability whose exploitation is relatively insignificant, organizations have "a very slow" process of repair, which allows attackers to continue to exploit known vulnerabilities.
It is worth noting that hackers have recently exploited the same vulnerability to violate the election systems of USA. Therefore, network administrators and security professionals are advised to correct this serious vulnerability immediately to prevent possible attacks.