CVE-2019-6693 - Vulnerability Details - OpenCVE

Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is in the KEV database since June 25, 2025.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Fortinet	Fortios

Configuration 1 [-]

OR	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios:6.2.0:::::::*

No data.

References

Link	Providers
https://fortiguard.com/advisory/FG-IR-19-007

History

Thu, 26 Jun 2025 08:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2025-06-25'}`

Fri, 25 Oct 2024 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2019-11-21T15:08:05.000Z

Updated: 2025-06-25T22:20:23.580Z

Reserved: 2019-01-23T00:00:00.000Z

Link: CVE-2019-6693

Vulnrichment

Updated: 2024-08-04T20:31:03.455Z

NVD

Status : Analyzed

Published: 2019-11-21T16:15:13.173

Modified: 2025-06-26T19:31:29.797

Link: CVE-2019-6693

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "FortiGate", "vendor": "Fortinet", "versions": [{"status": "affected", "version": "5.6.9 and below"}, {"status": "affected", "version": "6.0.5 and below"}, {"status": "affected", "version": "6.2.0"}]}], "descriptions": [{"lang": "en", "value": "Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set)."}], "problemTypes": [{"descriptions": [{"description": "Information disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-21T15:08:05.000Z", "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://fortiguard.com/advisory/FG-IR-19-007"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2019-6693", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "FortiGate", "version": {"version_data": [{"version_value": "5.6.9 and below"}, {"version_value": "6.0.5 and below"}, {"version_value": "6.2.0"}]}}]}, "vendor_name": "Fortinet"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information disclosure"}]}]}, "references": {"reference_data": [{"name": "https://fortiguard.com/advisory/FG-IR-19-007", "refsource": "CONFIRM", "url": "https://fortiguard.com/advisory/FG-IR-19-007"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T20:31:03.455Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://fortiguard.com/advisory/FG-IR-19-007"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-23T00:00:00+00:00", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2019-6693"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2025-06-25", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-25T22:20:23.580Z"}, "timeline": [{"time": "2025-06-25T00:00:00+00:00", "lang": "en", "value": "CVE-2019-6693 added to CISA KEV"}]}]}, "cveMetadata": {"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "assignerShortName": "fortinet", "cveId": "CVE-2019-6693", "datePublished": "2019-11-21T15:08:05.000Z", "dateReserved": "2019-01-23T00:00:00.000Z", "dateUpdated": "2025-06-25T22:20:23.580Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://fortiguard.com/advisory/FG-IR-19-007", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T20:31:03.455Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-6693", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-23T13:59:42.969976Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2025-06-25", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T14:00:55.646Z"}, "timeline": [{"lang": "en", "time": "2025-06-25T00:00:00+00:00", "value": "CVE-2019-6693 added to CISA KEV"}]}], "cna": {"affected": [{"vendor": "Fortinet", "product": "FortiGate", "versions": [{"status": "affected", "version": "5.6.9 and below"}, {"status": "affected", "version": "6.0.5 and below"}, {"status": "affected", "version": "6.2.0"}]}], "references": [{"url": "https://fortiguard.com/advisory/FG-IR-19-007", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Information disclosure"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2019-11-21T15:08:05.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "5.6.9 and below"}, {"version_value": "6.0.5 and below"}, {"version_value": "6.2.0"}]}, "product_name": "FortiGate"}]}, "vendor_name": "Fortinet"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://fortiguard.com/advisory/FG-IR-19-007", "name": "https://fortiguard.com/advisory/FG-IR-19-007", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information disclosure"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-6693", "STATE": "PUBLIC", "ASSIGNER": "[email protected]"}}}}, "cveMetadata": {"cveId": "CVE-2019-6693", "state": "PUBLISHED", "dateUpdated": "2025-06-25T22:20:23.580Z", "dateReserved": "2019-01-23T00:00:00.000Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2019-11-21T15:08:05.000Z", "assignerShortName": "fortinet"}, "dataVersion": "5.1"}

{"cisaActionDue": "2025-07-16", "cisaExploitAdd": "2025-06-25", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBDD29F8-B339-4C3B-AF3F-77BB3D323D1D", "versionEndIncluding": "5.6.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "matchCriteriaId": "8FA4CED9-EAB9-4FE4-B058-CC4D3E03C520", "versionEndIncluding": "6.0.6", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:fortinet:fortios:6.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "72C437B7-75F8-4DDC-9670-19E2C21ACB27", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set)."}, {"lang": "es", "value": "El uso de una clave criptogr\u00e1fica embebida para cifrar datos confidenciales en el archivo de respaldo de configuraci\u00f3n de FortiOS, puede permitir a un atacante con acceso al archivo de respaldo descifrar los datos confidenciales, por medio del conocimiento de la clave embebida. Los datos confidenciales mencionados anteriormente incluyen las contrase\u00f1as de los usuarios (excepto la contrase\u00f1a del administrador), las frases de contrase\u00f1a de las claves privadas y la contrase\u00f1a de alta disponibilidad (cuando se establecen)."}], "id": "CVE-2019-6693", "lastModified": "2025-06-26T19:31:29.797", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2019-11-21T16:15:13.173", "references": [{"source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://fortiguard.com/advisory/FG-IR-19-007"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://fortiguard.com/advisory/FG-IR-19-007"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "[email protected]", "type": "Primary"}]}