CVE-2019-6693
MEDIUM KEV RANSOMWAREFortiOS < 5.6.10 - Use of Hard-coded Credentials in Configuration Backup
Title source: llmExploitation Summary
CVE-2019-6693 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 25, 2025, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including saladandonionrings, synacktiv, gquere.
AI-analyzed exploit summary This Python script decrypts FortiGate user and HA configuration passwords by leveraging a known encryption key (CVE-2019-6693). It parses FortiOS configuration files and uses AES-CBC decryption with a hardcoded key.
Description
Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set).
Exploits (4)
This Python script decrypts FortiGate user and HA configuration passwords by leveraging a known encryption key (CVE-2019-6693). It parses FortiOS configuration files and uses AES-CBC decryption with a hardcoded key.
This PoC decrypts FortiManager/FortiAnalyzer configuration secrets by exploiting a hardcoded AES key (CVE-2020-9289 and CVE-2019-6693). It handles IV extraction and padding adjustments specific to these devices.
This PoC decrypts FortiGate configuration secrets by exploiting a hardcoded AES encryption key (CVE-2019-6693). It takes a base64-encoded encrypted string and decrypts it using a known key and IV.
This PoC decrypts FortiGate configuration files or individual encrypted strings using a known default encryption key. It leverages AES-CBC decryption to reveal sensitive information if the default key has not been changed.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N