Threat Spotlight: Credential Theft vs. Admin Control—Two Devastating Paths to VPN Exploitation

Editor’s note: This report was authored by Gautham Ashok & Alexa Feminella.

Key Findings

Even years after their disclosure, VPN-related vulnerabilities like CVE-2018-13379 and CVE-2022-40684 remain essential tools for attackers, driving large-scale campaigns of credential theft and administrative control. VPN infrastructure has become an adversary focal point, blending cybercriminal tactics with state-sponsored espionage in hybrid operations. Our investigations into the reasons behind these attacks reveal a 4,223% growth in chatter on cybercriminal forums related to specifically Fortinet VPNs since 2018, underscoring threat actors’ increasing focus on exploiting VPN vulnerabilities.

To help you understand the scale and tactics behind this trend, we examine the driving factors behind VPN exploitation, focusing on:

• Two notable methods attackers use to exploit VPNs: credential theft and administrative control.
• How vulnerabilities like CVE-2018-13379 and CVE-2022-40684 remain cornerstones of attacker playbooks for compromising VPN infrastructure.
• How AI and automation are amplifying the scale and sophistication of VPN attacks.

Read on to find out how these vulnerabilities are still shaping the threat landscape and the steps your organization must take to defend against them.

VPN Infrastructure’s Allure for Threat Actors

PNs have become a fundamental part of network security for organizations worldwide, enabling secure remote access to systems, encrypting sensitive data during transmission, and protecting internal networks from unauthorized access. By creating encrypted tunnels, VPNs safeguard information between a user’s device and the organization’s network—even over public connections. Their ubiquity makes VPNs highly enticing targets for attackers. Our research shows that attackers are actively exploiting 51 CVEs across major VPN products, including those from Fortinet, Ivanti, Cisco, SonicWall, and Citrix, for three key reasons:

Weaponization of Credential-Stealing Exploits: Attackers abuse VPN vulnerabilities to steal plaintext VPN credentials, often using proof-of-concept (PoC) exploits to automate the process. This allows them to scale attacks, turning isolated vulnerabilities into widespread breaches affecting hundreds of systems at once.

Direct Access and Privileges: Valid VPN credentials grant threat actors unrestricted access to sensitive systems, often with elevated privileges that mirror those of legitimate employees or administrators. This bypasses security barriers entirely, giving adversaries a direct path to infiltrate networks, steal data, and deploy ransomware undetected.

Ease of Monetization: Stolen VPN credentials are highly marketable on dark-web forums, often selling for as little as $100 and bundled with additional access points like Remote Desktop Protocol (RDP) software or Citrix-based solutions. For businesses, this means their compromised access can be resold multiple times, leaving them vulnerable to repeated attacks from different threat actors if passwords aren’t changed promptly.

Threat actors abuse VPN vulnerabilities in two primary ways, depending on their objectives:

• Cybercriminal groups typically focus on credential theft, harvesting usernames and passwords for monetization through ransomware or to sell on dark-web marketplaces.
• State-sponsored advanced persistent threat (APT) groups aim for administrative control, exploiting VPN vulnerabilities to gain persistent access to devices for long-term espionage, deeper network infiltration, and strategic advantage.

The tactics used by these two types of threat actors often overlap, enabling a dual outcome: harvesting credentials and gaining administrative access, maximizing their reach and impact. Notably, 64% of VPN vulnerabilities are directly linked to ransomware campaigns, demonstrating how cybercriminals quickly monetize stolen credentials for profit. Compromising VPNs—whether through stolen credentials, unpatched vulnerabilities, or misconfigurations—gives adversaries a free pass to an organization’s entire digital ecosystem. From file servers and databases to internal applications and cloud platforms, VPN credentials function as the ultimate skeleton key, delivering maximum impact with minimal effort.

For this report, we reviewed two vulnerabilities that exemplify common methods attackers use to target VPNs. Both vulnerabilities have maintained an Exploit Prediction Scoring System (EPSS) score of 97% since their discovery, placing them in the top 3% of vulnerabilities most likely to be exploited within the next 30 days¹:

• CVE-2018-13379: A simple path traversal flaw that enables direct theft of credentials from VPN devices.
• CVE-2022-40684: The vulnerability that was exploited in a 2025 breach by the “Belsen_Group” gang, which gave attackers super-admin access (complete administrative control) to VPN infrastructure and enabled automated attacks at an unprecedented scale.

CVE-2018-13379: The Eternal Exploit

What is CVE-2018-13379?

CVE-2018-13379 is a path traversal vulnerability in Fortinet’s FortiGate Secure Sockets Layer (SSL) VPN devices and has proven to be a favorite among attackers, despite being nearly five years old. Rated CVSS 9.8, it earned a spot on the Cybersecurity and Infrastructure Security Agency (CISA) list of the 15 most exploited flaws from 2020 to 2022. While it had dropped out of the top 15 by 2023, it remains on CISA’s list of routinely exploited vulnerabilities, showcasing its enduring appeal to threat actors.

Exploiting CVE-2018-13379 gives adversaries direct, unauthenticated access to sensitive system files, including the jackpot sslvpn_websession. This plaintext file often contains usernames and passwords, giving attackers immediate access to credentials—no advanced tools or expertise needed. A simple remote attack is enough for attackers to infiltrate networks, move laterally, and extract valuable data.

On February 19, 2025, CISA and the FBI issued an advisory warning about “Ghost” ransomware, which exploits this vulnerability using publicly available code. The ransomware targets unpatched internet-facing servers, impacting systems across 70+ countries in sectors like critical infrastructure, health care, governments, education, technology, manufacturing, and small- to medium-sized businesses.

CVE-2018-13379 has been used by state-sponsored APTs like Russia-backed “APT28” or Iran-backed “MuddyWater” to establish lasting control over target networks². Unlike cybercriminals seeking quick wins, these groups prioritize maintaining persistent access for long-term espionage and strategic advantage. In one example, the Chinese group “APT5,” operating from the most active nation state targeting VPN devices, maintained access to compromised VPN infrastructure in the telecommunications sector for months.³

What’s Behind its Enduring Popularity?

What makes CVE-2018-13379 so dangerous is its stickiness. Many VPN systems remain unpatched against older vulnerabilities, making this one a perennial favorite for credential-stealing campaigns. Attackers favor direct credential theft because it’s straightforward, scalable, and provides immediate value. By exploiting vulnerabilities that expose credential storage, attackers can harvest plaintext usernames and passwords without needing persistent access or backdoor accounts. A single successful exploit can yield hundreds or thousands of valid credentials, which can then be automated for mass exploitation, sold on dark-web forums for profit, or stockpiled for future campaigns.

Fortinet’s credential storage practices significantly amplify the impact of this vulnerability. By default, the private data encryption feature is disabled unless explicitly enabled by users—a design choice that likely makes credential theft significantly easier⁴. As a result, threat actors exploiting CVE-2018-13379 often find credentials stored in plaintext, ready for immediate use. Once logged in with these stolen credentials, they can seamlessly blend in with legitimate user activity, making it extremely difficult for security teams to distinguish malicious behavior from normal operations. This lack of visibility allows attackers to move laterally through networks, escalate privileges, and exfiltrate data or deploy additional payloads—all while remaining undetected for extended periods.

Threat Actors Share Automated Exploit for CVE-2018-13379

Despite being over five years old and the subject of numerous advisories urging companies to patch against it, CVE-2018-13379 remains widely exploited because many organizations are slow to act. Whether driven by concerns over downtime or simply underestimating the risk of older vulnerabilities, this lack of urgency leaves systems exposed to attack. Cybercriminals on underground forums have capitalized on this, repeatedly sharing PoCs designed to exploit the flaw.

Figure 1: XSS user shares automated Python-based PoC for CVE-2018-13379

One PoC (see Figure 1) stood out—a fully weaponized, automated, Python-based exploit that streamlines credential theft, turning the exploitation of CVE-2018-13379 into a mass-scale operation. Here’s how the PoC works:

This PoC transforms VPN compromise into a point-and-click operation, allowing attackers to breach thousands of networks simultaneously. This industrialized attack process makes widespread corporate breaches alarmingly easy, lowering the technical barrier for mass-scale attacks.

Step Up Your Defenses Against CVE-2018-13379

How ReliaQuest Helps You

Threat Intelligence: We curate and continually update vulnerability profiles in ReliaQuest’s GreyMatter, enabling organizations to prioritize risks, take action based on their specific needs, and stay informed about the latest developments tied to this vulnerability.

Detection Rules: We recommend implementing the following detection rules to counter the exploitation of CVE-2018-13379.

Detection Rule	MITRE ATT&CK ID	Summary
External Recon Followed by Remote Authentication	TA0043: T1595.002 – Vulnerability Scanning TA0043: T1595.001 – Scanning IP Blocks TA0001: T1190 – Exploit Public-Facing Application TA0001: T1133 – External Remote Services TA0007: T1046 – Network Service Discovery	A successful remote login from an external IP address following vulnerability scanning or reconnaissance activity may indicate an attacker exploiting CVE-2018-13379. This rule detects successful authentications from flagged IPs, signaling an attempt to harvest credentials from the vulnerable sslvpn_websession file to gain access.
Exploit Followed by Reverse Shell	TA0001: T1190 – Exploit Public-Facing Application TA0003: T1505.003 – Web Shell	Exploiting CVE-2018-13379 can allow attackers to establish a reverse shell connection, disguising their activity by using commonly available ports. This rule identifies outbound connections initiated by compromised hosts post-exploitation, which reveal attempts to escalate privileges and move laterally within the network.
Allowed Exploit from Threat IP	TA0001: T1190 – Exploit Public-Facing Application	Attackers leveraging CVE-2018-13379 often launch exploits from known threat IPs observed in intelligence feeds, targeting vulnerable VPN endpoints. This rule flags exploit attempts originating from known malicious IPs, providing strong evidence of a targeted attack designed to harvest plaintext credentials.

Threat Hunting: Through GreyMatter Threat Hunting packages, we empower customers to proactively identify and mitigate risks. For best protection against this vulnerability, we recommend the following threat hunts:

• Windows Authentication–Weak Ticket Encryption: After gaining VPN access, attackers often escalate privileges through Kerberoasting. This threat hunt identifies accounts at risk of this attack vector.
• Remote Desktop Protocol: Once inside the environment, attackers often use RDP for lateral movement. This threat hunt helps organizations audit RDP usage, identify anomalies, and better understand potential vulnerabilities in their environment.

Your Action Plan

While patching your systems is the obvious first step, additional safeguards are essential to prevent credential theft stemming from the exploitation of this vulnerability.

• Implement Network Segmentation Behind VPN Access: Since attackers target the sslvpn_websession file to harvest credentials, segment your network so that VPN users land in an isolated environment that requires extra authentication to access critical systems. This ensures that even if the VPN is compromised, attackers can’t move laterally.
• Deploy Out-of-Band Secondary Authentication: Implement a separate authentication system independent of the FortiGate VPN, such as hardware tokens or a multifactor authentication (MFA) solution running on different infrastructure. This ensures that even if attackers extract VPN credentials, they can’t use them without the secondary authentication that exists outside the compromised system.
• Implement IP-Based Access Control with Rotating Allowlists: Because the exploit relies on direct HTTP GET requests to a vulnerable endpoint, restrict FortiGate VPN access to specific IP ranges that are regularly rotated. This disrupts automated mass-scanning tools by constantly changing the target space.

CVE-2022-40684: Admin Control over VPN Infrastructure

What is CVE-2022-40684?

CVE-2022-40684 is a critical authentication bypass vulnerability in Fortinet FortiOS, FortiProxy, and FortiManager network edge appliances. With a CVSS score of 9.8, this vulnerability allows attackers to bypass authentication mechanisms completely, granting them administrator-level access to affected devices. Essentially, it removes the need for valid credentials, enabling adversaries to remotely take control of the device—a highly dangerous scenario for organizations relying on Fortinet’s VPN and firewall solutions.

Threat groups like “Akira” have exploited CVE-2022-40684 for ransomware deployment⁵. In addition, exploitation techniques are often shared on cybercriminal forums, providing step-by-step guidance for attackers, making the threat more accessible. Stolen credentials are frequently weaponized in credential-stuffing campaigns, where attackers systematically attempt to compromise other FortiGate devices using leaked login details, creating a self-perpetuating cycle of breaches.

What’s Behind its Enduring Popularity?

Direct credential theft is a common tactic for attackers, but administrative control over VPN devices provides far greater dominance. By exploiting vulnerabilities like CVE-2022-40684, attackers can bypass authentication entirely and gain administrator-level access to widely deployed Fortinet devices. This, in turn, gives them control over the network infrastructure powering the VPN. This level of access allows attackers to manipulate device configurations, extract sensitive data, and deploy malicious policies to ensure long-term persistence and unrestricted access across targeted networks. This ease of exploitation, combined with administrator privileges and the ability to impact network-wide operations, makes this method particularly appealing to sophisticated threat actors, enabling large-scale breaches and sustained dominance.

Automated Admin VPN Control: Real-World Exploitation of CVE-2022-40684

In January 2025, our Threat Research team investigated a breach orchestrated by the threat actor Belsen_Group, affecting over 15,000 FortiGate devices worldwide (see Figure 2). FortiGate devices, developed by Fortinet, provide VPN, firewall, and intrusion prevention capabilities. The breach exposed sensitive data, including IP addresses, VPN credentials, and configuration files from government and private sector organizations.

Figure 2: Belsen_Group’s FortiGate breach post on the cybercriminal forum BreachForums

This breach wasn’t just notable for its scale but for its persistence: The dataset, likely assembled in October 2022 but leaked years later, demonstrates how static configurations and unpatched systems remain vulnerable long after initial compromise.

GreyMatter Digital Risk Protection (DRP) was instrumental in alerting affected customers to compromised assets, such as exposed IPs and domains in credential pairs. Impacted customers prioritized resetting exposed credentials to prevent further exploitation. Many also deployed GreyMatter Automated Response Playbooks like Reset Password to neutralize stolen credentials and block unauthorized access, ensuring rapid containment of the threat.

While Belsen_Group abused CVE-2022-40684 for large-scale data leaks and to build its reputation among threat actors, an automated Python-based PoC shared on the Russian-language cybercriminal forum Exploit reveals the full exploitation potential of this vulnerability (see Figure 3).

Figure 3: Exploit user shares automated PoC for CVE-2022-40684

Released on October 6, 2023, this scalable exploit targets Fortinet devices via their administrative API, enabling attackers to compromise vulnerable systems at unprecedented speeds. Capable of scanning up to 5 million IPs per day, the exploit automates:

• Identifying vulnerable servers.
• Creating or modifying administrative accounts.
• Extracting sensitive data like VPN credentials, routing tables, and traffic statistics.
• Deploying malicious policies to expand footholds in compromised networks.

Sold on dark-web forums for $1,500 with limited copies available, this exploit exemplifies how automation is industrializing credential theft and infrastructure compromise.

This automated exploit is a scalable tool designed to process target lists in formats like IP:HTTPS and IP:HTTPS:SSH, working via Fortinet’s administrative API. Some of its key features include:

• Customizable Execution: Options like -r allow scanning from the last address, while -s lets user start from a specific line.
• Organized Outputs: Generates three files:
  • result_date.txt: Contains all successful exploits, including connection details, VPN credentials, routes, traffic statistics, and policies.
  • ldap_date.txt: Lists Lightweight Directory Access Protocol (LDAP) users for targets using LDAP authentication.
  • partially_vulnerable_date.txt: Details servers that couldn’t be fully exploited, along with reasons (e.g. non-standard Secure Shell [SSH] ports).

Step Up Your Defenses Against CVE-2022-40684

How ReliaQuest Helps You

Threat Intelligence: ReliaQuest’s DRP continuously monitors the deep and dark web to track leaked VPN credentials and other exposed assets. We actively assess emerging and established VPN threats, incorporating intelligence from diverse sources and evaluating its reliability. Tailored vulnerability profiles empower organizations to prioritize risks and act based on their specific needs.

Threat Hunting: ReliaQuest acts as an extension of our customers’ teams, providing expert support during active incidents like the ongoing exploitation of CVE-2022-40684. GreyMatter Threat Hunting packages help customers proactively identify risks, including:

• Exfiltration Tools: After establishing a presence on compromised devices, attackers may attempt to exfiltrate sensitive data like device configurations. This threat hunt helps organizations identify signs of commonly used exfiltration tools and methods.
• Remote Desktop Protocol: Once inside the environment, attackers often use RDP for lateral movement. This threat hunt helps organizations audit RDP usage, identify anomalies, and better understand potential vulnerabilities in their environment.

Detection Rules: Our Threat Research team develops rules to identify IOCs for critical vulnerabilities like CVE-2022-40684, including unauthorized admin account creation and anomalous activity in device logs.

We recommend implementing the following detection rule to effectively counter exploitation:

Detection Rule	MITRE ATT&CK ID	Summary
Fortinet Authentication Bypass RCE (CVE-2022-40684)	TA0001: T1190 – Exploit Public-Facing Application TA0002: T1203 – Exploitation for Client Execution	This rule looks for IOCs associated with this exploit, including the presence of the “local_process_access” username in device logs or the creation of a new admin through the REST API.

Pair this detection rule with Automated Response Playbooks to reduce your mean time to contain (MTTC) threats to under five minutes and mitigate exploitation risks using the following pre-built workflows:

• Block IP: Immediately cuts off malicious IP addresses attempting to exploit the vulnerability, preventing communication with compromised systems and remote execution of payloads.
• Block Port: Restricts access to ports used for exploitation, reducing the attack surface.
• Block Domain: Halts malicious domains associated with exploitation attempts, interrupting external command-and-control (C2) traffic and blocking attacker communications.

Your Action Plan

Patching is the first and most critical step, but additional measures are essential to prevent credential theft and further exploitation of this vulnerability. Here is what you should do next:

• Conduct Regular Configuration Audits: Attackers often exploit static or misconfigured settings, which can leave systems vulnerable long after the initial breach. Regularly reviewing VPN configurations, user roles, access policies, and API logs helps identify unauthorized changes, anomalies, or malicious policies before they can be leveraged further.
• Enforce Network Segmentation: Segmenting critical systems and isolating VPN traffic limits the impact of a breach by preventing attacks from moving laterally across the network after gaining admin control. This minimizes the scope of damage and ensures sensitive systems remain protected. Strict segmentation rules, along with ACLs, restrict traffic based on roles and device locations, further reducing the attack surface.
• Enable Robust API Monitoring: Monitoring API activity on Fortinet devices can help detect unauthorized actions, such as admin account creation or policy changes, which are common during exploitation Real-time alerts for unusual API calls enable quick identification of potential threats, allowing you to respond before attackers gain deeper access or persistence.

Step Up Your Defenses Against VPN Exploitation

Defending against VPN exploitation requires more than patching vulnerabilities—it demands a proactive approach to identify and close gaps before attackers strike. Upcoming ReliaQuest tools like GreyMatter Detection Validation and Cyber Asset Attack Surface Management (CAASM) will empower organizations to strengthen their security posture and prevent VPN vulnerabilities from becoming gateways for widespread compromise.

Detection Validation transforms how organizations assess their ability to detect VPN exploitation attempts. By integrating continuous breach and attack simulations directly into GreyMatter, it allows security teams to test detection rules against real-world attack methods, including those targeting CVE-2018-13379 and CVE-2022-40684. Key benefits include:

• Recurring Simulations: Automated, continuous simulations keep detection rules calibrated against evolving threats, eliminating gaps caused by manual testing.
• Actionable Insights: Address detection gaps directly within GreyMatter, streamlining workflows and avoiding inefficiencies from tool switching.
• Precise Detection: Validate detection rules to accurately catch exploitation attempts while removing noise and blind spots.

While Detection Validation helps you stay prepared, CAASM tackles the critical challenge of gaining visibility into vulnerable systems. VPN exploitation often thrives on unpatched devices or misconfigurations buried deep within complex technology stacks. CAASM delivers comprehensive infrastructure visibility, allowing you to:

• Know What You Own, Everywhere: Gain complete visibility into all systems, software versions, and configurations to uncover hidden vulnerabilities across your network. Leverage automated asset discovery for unified visibility and comprehensive coverage.
• Focus on What Matters Most: Prioritize outdated software tied to vulnerabilities like CVE-2018-13379 and CVE-2022-40684, addressing them before they can be exploited. Use threat intelligence integration, AI-driven risk prioritization and insightful reporting through interactive dashboards to streamline mitigation efforts.
• Identify Exposures Before They Become Threats: Proactively secure overlooked systems to prevent exploitation of unseen vulnerabilities. Detect and address cloud misconfigurations to minimize risk.
• See The Full Picture, Stop Threats Faster: Use detailed asset and user contextual profiles, combined with enhanced risk scoring, to accelerate threat detection and response efforts.

Together, Detection Validation and CAASM provide a powerful one-two punch— proactively validating detections and security controls for real-world scenarios while closing the gaps attackers exploit to compromise VPN systems.

Top Lessons and What’s Next

The key takeaway from this report is clear: While many organizations scramble to patch the latest zero-day vulnerabilities or focus on the newest headline-grabbing CVEs, attackers are still exploiting older vulnerabilities like CVE-2018-13379 and CVE-2022-40684 with alarming success. These flaws remain “golden gems” for attackers, precisely because they’re often overlooked. The most dangerous threats aren’t always the ones drawing the most attention—they’re sometimes the ones hiding in plain sight. VPN infrastructure is poised to become ground zero for sophisticated operations, combining old vulnerabilities with cutting-edge tactics. Here’s what we expect:

VPN Infrastructure to Face Increased Hybrid Threats: In 2025, rising global tensions and geopolitical instability are set to fuel a dangerous convergence of state-sponsored actors and ransomware groups, with VPN infrastructure becoming the epicenter of hybrid cyber operations. Nation states like North Korea, China, and Iran will increasingly leverage ransomware as a smokescreen for espionage. Early examples include North Korean APTs “Andariel” and “Moonstone Sleet” deploying “Play” ransomware and “Qilin,” respectively⁶. As VPNs remain critical gateways to sensitive networks, attackers will exploit their vulnerabilities to mask deeper, state-backed campaigns. To prepare for this shift, organizations must prioritize patching vulnerabilities, enforce MFA, and segment critical systems to reduce attack surfaces and limit lateral movement.

AI and LLMs Will Reshape VPN Exploits: The rise of AI and large language models (LLMs) will significantly amplify the risks posed by vulnerabilities like CVE-2018-13379 and CVE-2022-40684, making credential theft and exploitation of administrative access faster, smarter, and more scalable. AI-powered tools will automate phishing campaigns and brute-force attacks for VPN credential harvesting, while LLMs will analyze credential dumps to identify high-value targets and vulnerable systems almost instantly. For flaws like CVE-2022-40684, AI-driven tools could automate the exploitation of authentication bypass vulnerabilities, giving attackers full administrative control over devices and enabling persistent malicious configurations. These advancements will streamline both credential-based and infrastructure-level attacks, forcing businesses to adopt AI-driven defenses, automate detection processes, and continuously validate security controls to counter increasingly sophisticated threats.

¹hxxps://www.first[.]org/epss/
²hxxps://www.ncsc.gov[.]uk/news/indicators-of-compromise-for-malware-used-by-apt28
³hxxps://www.bankinfosecurity[.]com/chinese-apt-group-began-targeting-ssl-vpn-flaws-in-july-a-13037
⁴hxxps://yurisk[.]info/2023/03/21/fortigate-vpn-ssl-hardening-guide/
⁵hxxps://blog.qualys[.]com/vulnerabilities-threat-research/2024/10/02/threat-brief-understanding-akira-ransomware
⁶hxxps://www.bleepingcomputer[.]com/news/security/north-korean-govt-hackers-linked-to-play-ransomware-attack/