Fortinet Reports Leak of Thousands of VPN User Login Credentials

American cybersecurity company Fortinet published a blog post on September 8, 2021 informing the public of the leak of around 87,000 SSL-VPNs FortiGate devices produced by the company. The leak originated from devices that were still left unpatched against the CVE-2018-13379 vulnerability.

The vulnerability in question, which was given a 9+ 'critical' score, received a security update addressing it way back in 2019, so this is definitely the type of leak stemming from systems and devices that were left running significantly outdated software. However, this does not change the fact that the leak is real.

Threatpost reported that further, according to security researchers, an unnamed threat actor has leaked many more login credentials linked to Fortinet VPNs. A team working with security firm Advanced Intel checked the IP addresses associated with the credentials and found they belonged to devices located all over the globe. The biggest chunks of the reported larger credential leak belong to IPs located in India, Taiwan and Italy.

The exploit abused in the unpatched VNPs is well-known among the infosec community. In fact, it made the cut as one of the 12 most exploited vulnerabilities even in 2020.

The fact that similar old, known and long-since patched issues and vulnerabilities still lead to data theft and exploitation on part of bad actors goes to show what a significant number of systems run outdated software and often firmware as well.

The importance of keeping all your hardware and software updated to the latest possible version, even if you are a home user and not an enterprise network administrator, cannot be overstated. Similar old vulnerabilities can be found in thousands of devices running old versions of their software and give bad actors fertile ground for exploitation years after the developers have patched the issue, simply because thousands of systems remain unpatched.

September 10, 2021
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.