CVE-2019-6693

Published Nov 21, 2019

Last updated 11 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2019-6693 involves the use of a hard-coded cryptographic key within Fortinet's FortiOS, FortiManager, and FortiAnalyzer. This key is used to encrypt sensitive data in CLI configurations and backup files. An attacker with access to these configurations or backup files can decrypt the data, including user passwords (excluding the administrator's password), private keys' passphrases, and High Availability passwords, by using the hard-coded key. The vulnerability affects FortiOS versions up to 6.2.0, 6.0.0 to 6.0.6, and 5.6.10, as well as specific versions of FortiManager and FortiAnalyzer. Fortinet has released updates that allow administrators to enable a setting that prompts for a user-defined cryptographic key, which is then used to encrypt sensitive data, mitigating the risk.

Description
Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set).
Source
psirt@fortinet.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

CVSS 2.0

Type
Primary
Base score
4
Impact score
2.9
Exploitability score
8
Vector string
AV:N/AC:L/Au:S/C:P/I:N/A:N

Known exploits

Data from CISA

Vulnerability name
Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability
Exploit added on
Jun 25, 2025
Exploit action due
Jul 16, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov
CWE-798

Social media

Hype score
Not currently trending

Configurations