CVE-2019-6693

Published Nov 21, 2019

Last updated 21 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2019-6693 involves the use of a hard-coded cryptographic key within Fortinet's FortiOS, FortiManager, and FortiAnalyzer. This key is used to encrypt sensitive data in CLI configurations and backup files. An attacker with access to these configurations or backup files can decrypt the data, including user passwords (excluding the administrator's password), private keys' passphrases, and High Availability passwords, by using the hard-coded key. The vulnerability affects FortiOS versions up to 6.2.0, 6.0.0 to 6.0.6, and 5.6.10, as well as specific versions of FortiManager and FortiAnalyzer. Fortinet has released updates that allow administrators to enable a setting that prompts for a user-defined cryptographic key, which is then used to encrypt sensitive data, mitigating the risk.

Description: Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set).
Source: psirt@fortinet.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 4
Impact score: 2.9
Exploitability score: 8
Vector string: AV:N/AC:L/Au:S/C:P/I:N/A:N

Known exploits

Data from CISA

Vulnerability name: Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability
Exploit added on: Jun 25, 2025
Exploit action due: Jul 16, 2025
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov: CWE-798

Hype score: Not currently trending

🛡️ We added Fortinet FortiOS, D-Link DIR-859 Router, & AMI MegaRAC SPx vulnerabilities CVE-2019-6693, CVE-2024-0769, & CVE-2024-54085 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect against cyberattacks
@CISACyber
25 Jun 2025
7061 Impressions
20 Retweets
51 Likes
9 Bookmarks
2 Replies
3 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DBDD29F8-B339-4C3B-AF3F-77BB3D323D1D",
            "versionEndIncluding": "5.6.10"
          },
          {
            "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8FA4CED9-EAB9-4FE4-B058-CC4D3E03C520",
            "versionEndIncluding": "6.0.6",
            "versionStartIncluding": "6.0.0"
          },
          {
            "criteria": "cpe:2.3:o:fortinet:fortios:6.2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "72C437B7-75F8-4DDC-9670-19E2C21ACB27"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.