Threat actor shared a list of 49,577 IPs vulnerable Fortinet VPNs

Pierluigi Paganini November 22, 2020

A threat actor has published online a list of one-line exploits to steal VPN credentials from over 49,000 vulnerable Fortinet VPNs.

A threat actor, who goes online with the moniker “pumpedkicks,” has leaked online a list of exploits that could be exploited to steal VPN credentials from almost 50,000 Fortinet VPN devices.

Researchers from Bank Security first reported the availability of the list of 49,577 IPs vulnerable to Fortinet SSL VPN CVE-2018-13379.

After a nslookup on all IPs, I found that among the victims there are some Banks, many .gov domains and thousands of companies around the world. https://t.co/F4o9xzjGJ4
— Bank Security (@Bank_Security) November 20, 2020

The list includes devices belonging to big enterprises, financial institutions, and government organizations across the world.

IPs vulnerable to Fortinet SSL VPN CVE-2018-13379

The Fortinet VPN devices included in the list are vulnerable to the CVE-2018-13379, which is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files, to upload malicious files on unpatched systems, and take over Fortinet VPN servers.

The popular researcher AX Sharma, who analyzed the exploit shared by the threat actor, explained that it could allow attackers to access the sslvpn_websession files from FortiNet VPNs to steal login credentials.

Upon obtaining the stolen credentials, attackers could use them to gain access to the target networks and carry out multiple malicious operations, such as manually delivering malware and ransomware.

Since August 2019, the popular cybersecurity expert Kevin Beaumont has reported that threat actors were attempting to exploit the CVE-2018-13379 in the FortiOS SSL VPN web portal and CVE-2019-11510 flaw in Pulse Connect Secure.

CISA and FBI have recently observed attacks carried out by APT actors that combined two the CVE-2018-13379 and CVE-2020-1472 flaws.

Government experts explained that attackers are combining these two flaws to hijack Fortinet servers and use them as an entry point in government networks, then take over internal networks using the Zerologon flaw to compromise all Active Directory (AD) identity services.

According to Ax Sharma, the list of vulnerable Fortinet VPNs includes over four dozen IP belonging to major banking, finance, and governmental organizations.

The most worrisome aspect of this discovery is that despite the CVE-2018-13379 is a well-know vulnerabilty, many organizazion have yet to fix it more than 2 years after its public disclosure.

This means that the affected organizations are failing to implement an efficient patch management process.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet VPNs)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini July 08, 2025

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini July 08, 2025