CVE-2019-15707

MEDIUM

FortiMail 6.2.0, 6.0.0-6.0.6, <5.4.10 - Authenticated Improper Access Control in Admin WebUI

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-15707. PoCs published by cristianovisk.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-15707, which targets a command injection vulnerability in the 'fewReq' parameter of the admin.fe module. The exploit captures a token, injects a command, and executes it via a crafted request.

Description

An improper access control vulnerability in FortiMail admin webUI 6.2.0, 6.0.0 to 6.0.6, 5.4.10 and below may allow administrators to perform system backup config download they should not be authorized for.

Exploits (1)

nomisec WORKING POC 3 stars
by cristianovisk · poc
https://github.com/cristianovisk/CVE-2019-15707

This repository contains a functional exploit for CVE-2019-15707, which targets a command injection vulnerability in the 'fewReq' parameter of the admin.fe module. The exploit captures a token, injects a command, and executes it via a crafted request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely a web application with admin.fe module)
Auth required
Prerequisites: Valid credentials for authentication · Access to the admin.fe module
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Vendor Advisory x_refsource_misc
https://fortiguard.com/advisory/FG-IR-19-237

Scores

CVSS v3 4.9
EPSS 0.0121
EPSS Percentile 64.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

Status published
Products (2)
fortinet/fortimail 6.2.0
fortinet/fortimail < 5.4.10
Published Jan 23, 2020
Tracked Since Feb 18, 2026