FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Article Id 195004

The security of our customers is our first priority. The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

The following Common Vulnerabilities and Exposures (CVE) are included in the joint CSA:

o    CVE-2018-13379, a path traversal vulnerability (Common Vulnerability Scoring System base score of 9.8);

o    CVE-2020-12812, an improper authentication vulnerability (CVSS base score of 9.8); and

o    CVE-2019-5591, a default configuration vulnerability (CVSS base score of 7.5).


·         CVE-2018-13379/FG-IR-18-384

A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.


Affected Products

FortiOS 6.0 - 6.0.0 to 6.0.4

FortiOS 5.6 - 5.6.3 to 5.6.7

FortiOS 5.4 - 5.4.6 to 5.4.12

(other branches and versions than above are not impacted)

ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.



Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.


More details can be found at


·         CVE-2019-5591/FG-IR-19-037

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.


Affected Products

FortiOS 6.2.0 and below.



Upgrade to FortiOS 6.2.1 and above.


More details can be found at


·         CVE-2020-12812/ FG-IR-19-283

An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.


This happens when two-factor authentication is enabled in the "user local" setting, and that user authentication type is set to a remote authentication method (eg: ldap).


The issue exists because of inconsistent case sensitive matching among the local and remote authentication.


Affected Products

FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below



Upgrade to the following FortiOS version:

6.4.1 or later

6.2.4 or later

6.0.10 or later


More details can be found at


Fortinet customers are advised to upgrade to the recommended FortiOS versions to mitigate against these vulnerabilities and exploits.

The custom Event Handler and Report provided can be used in FortiAnalyzer 6.2 and FortiAnalyzer 6.4.

See the Solution section for instruction on how to load these into a FortiAnalyzer.


This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect attack attempts to exploit SSL VPN Vulnerabilities in FortiOS.

The Event Handler and Report will:

  1. Detect and report on IPS events of attempts to exploit CVE-2018-13379
  2. Report on FortiGate OS versions that are vulnerable to the above vulnerabilities
  3. NOT detect whether configuration has been applied to fix configuration vulnerabilities.

To apply fixes for configuration vulnerabilities in CVE-2019-5591 and CVE-2020-12812, please visit the FortiGuard link above for recommendations. Additionally, visit the FortiGuard link corresponding to CVE-2018-13379 for info on mitigating the vulnerability.


What is included in


1. Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json

This event handler helps detect attempts at exploiting CVE-2018-13379, based on FortiGate IPS signature detection. 


It includes the following IPS signature:



2. Outbreak_Alerts_FOS-Vulnerabilities_Report.dat

A Threat Hunting Report to summarize:

    • Affected FortiGates by vulnerabilities detection
    • SSL VPN Vulnerability IPS detection


All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4. 


1) Download the file (contains 2 files)


2) Unzip


3) Use Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json to import into Event Handlers

     a. Choose an ADOM (if ADOMs are enabled)

     b. Choose the FortiSOC module

     c. Select Event Handler List

     d. Select the Import option under "More"

     e. Select Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json



Result: Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported


4) Use Outbreak_Alerts_FOS-Vulnerabilities_Report.dat to import into Reports

    a. Choose a Fabric ADOM (if ADOMs are enabled)

    b. Choose the Report module

    c. Select the Import option under "More"

    d. Select Outbreak_Alerts_FOS-Vulnerabilities_Report.dat



Result: ‘Outbreak_Alerts_FOS-Vulnerabilities_Report' can be run anytime as determined by an admin user.

Related document.