Summary:
The ongoing exploitation of VPN-related vulnerabilities such as CVE-2018-13379 and CVE-2022-40684, continues to be a major threat to organizations worldwide. These vulnerabilities, despite being disclosed years ago, are still widely used by attackers in large-scale campaigns targeting VPN infrastructure. According to security firm Reliaquest, VPN vulnerabilities primarily enable credential theft and administrative control, which are leveraged by cybercriminals and state-sponsored advanced persistent threat groups for a range of malicious activities. Stolen credentials can be sold on dark web markets, while administrative access gives adversaries unrestricted control over critical systems, enabling long-term cyber espionage operations.

Research from Reliaquest reveals a significant 4,223% increase in discussions on cybercriminal forums related to Fortinet VPN exploits, highlighting the growing focus on exploiting these vulnerabilities. Exploits like CVE-2018-13379, a path traversal vulnerability in Fortinet’s VPN devices, remain popular due to their ability to provide unauthenticated access to sensitive system files, including plaintext usernames and passwords. Once attackers gain these credentials, they can infiltrate networks, move laterally, and exfiltrate data undetected. Moreover, vulnerabilities such as CVE-2022-40684 provide attackers with super-admin access, enabling automated attacks on an even larger scale.

Security Officer Comments:
The continued exploitation of vulnerabilities like CVE-2018-13379 and CVE-2022-40684 is primarily driven by the widespread failure to patch systems, leaving them vulnerable to potential attacks. Many organizations underestimate the risks posed by older vulnerabilities or are reluctant to patch due to concerns about potential downtime, resulting in systems remaining exposed. This lack of urgency is further compounded by the availability of proof-of-concept exploits circulating on underground forums, which lower the barrier for large-scale exploitation. As a result, attackers can effectively and efficiently compromise VPN infrastructure, gaining persistent access and a clear pathway to infiltrate an organization’s entire network, steal sensitive data, or deploy ransomware.

Suggested Corrections:
Recommendations from Reliaquest:

• Conduct Regular Configuration Audits: Attackers often exploit static or misconfigured settings, which can leave systems vulnerable long after the initial breach. Regularly reviewing VPN configurations, user roles, access policies, and API logs helps identify unauthorized changes, anomalies, or malicious policies before they can be leveraged further.
• Enforce Network Segmentation: Segmenting critical systems and isolating VPN traffic limits the impact of a breach by preventing attacks from moving laterally across the network after gaining admin control. This minimizes the scope of damage and ensures sensitive systems remain protected. Strict segmentation rules, along with ACLs, restrict traffic based on roles and device locations, further reducing the attack surface.
• Enable Robust API Monitoring: Monitoring API activity on Fortinet devices can help detect unauthorized actions, such as admin account creation or policy changes, which are common during exploitation Real-time alerts for unusual API calls enable quick identification of potential threats, allowing you to respond before attackers gain deeper access or persistence.

Link(s):
https://www.reliaquest.com/blog/credential-theft-vs-admin-control-threat-spotlight/