CVE-2020-9289

HIGH

Fortinet Fortianalyzer < 6.2.3 - Hard-coded Credentials

Title source: rule

Description

Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key.

Exploits (1)

nomisec WORKING POC 11 stars

by synacktiv · poc

https://github.com/synacktiv/CVE-2020-9289

View Code ZIP pw:eip

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://fortiguard.com/psirt/FG-IR-19-007

Scores

CVSS v3 7.5

EPSS 0.0102

EPSS Percentile 77.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-798

Status published

Products (2)

fortinet/fortianalyzer < 6.2.3

fortinet/fortimanager < 6.2.3

Published Jun 16, 2020

Tracked Since Feb 18, 2026