How severe is CVE-2018-13383?

Medium severity. CVSS v3 base score is 4.3 out of 10.

Is CVE-2018-13383 known to be exploited?

Yes. CVE-2018-13383 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-01-10), indicating it is being actively exploited. 5 public proof-of-concept repositories are indexed.

Vulnerability in Fortinet Fortios And Fortiproxy

CVE-2018-13383

A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination…

EPSS: 0.018 (83.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.

Affected products

Fortinet Fortios And Fortiproxy — versions FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier, FortiProxy 2.0.0, 1.2.8 and earlier

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2022-01-10. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-07-10.

Required action: Apply updates per vendor instructions.

Known ransomware campaign use: yes.

Public proof-of-concept exploits

References

fortiguard.com/advisory/FG-IR-18-388 (x_refsource_CONFIRM)
fortiguard.com/advisory/FG-IR-20-229 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2018-13383?: CVE-2018-13383 is a medium-severity vulnerability in Fortinet Fortios And Fortiproxy. CVSS score: 4.3/10. Published 2019-05-29.
How severe is CVE-2018-13383?: Medium severity. CVSS v3 base score is 4.3 out of 10.
Is CVE-2018-13383 known to be exploited?: Yes. CVE-2018-13383 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-01-10), indicating it is being actively exploited. 5 public proof-of-concept repositories are indexed.