FortiOS system file leak through SSL VPN

Hackers are actively trying to steal passwords from SSL VPN. Fortinet VPN server found vulnerable to disclose of username and password in plain text. FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. The credit goes to Meh Chang and Orange Tsai from DEVCORE Security Research Team for vulnerability identification recently.

Hackers hit FortiOS recently. Below are the fortinet affected products:


  • 6.0 – 6.0.0 to 6.0.4,
  • 5.6 – 5.6.3 to 5.6.7,
  • 5.4 – 5.4.6 to 5.4.12

furthermore, there is no impact in other branches and versions. Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.


Well, upgrade to FortiOS 5.6.8 or above, 6.0.5 or above, 6.2.0 or above, or upcoming 5.4.13.


As a temporary solution, the only workaround is to totally disable the SSL-VPN service (both web-mode and tunnel-mode)


Furthermore, SSL VPN users with local authentication can mitigate the impact by enabling Two-Factor Authentication (2FA).

I would say, it can be  a good security practice for VPN access using 2FA.

The researchers reported flaws to Fortinet on Dec. 11, 2018.

In addition, they noted, among the largest 500 publicly traded U.S. companies, just three SSL VPN vendors commanded 75 percent market share. “The diversity of SSL VPN is narrow. Therefore, once we find a critical vulnerability on the leading SSL VPN, the impact is huge,” they said. “There is no way to stop us because SSL VPN must be exposed to the internet.”

CVE Statistics
Recent count of CVEs tied to leading SSL VPN vendors’ firmware (Source: Meh Chang and Orange Tsai)

To conclude, Login is not possible with the password only if 2FA enabled for SSL VPN.

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!