CVE-2019-17659
Published: 17 March 2025
Summary
CVE-2019-17659 is a low-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Fortinet Fortisiem. Its CVSS base score is 3.7 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked in the top 32.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).
Deeper analysis
CVE-2019-17659 is a use of hard-coded cryptographic key vulnerability (CWE-798) in FortiSIEM version 5.2.6. The issue stems from a hard-coded private key that enables SSH access to the supervisor component as the restricted user "tunneluser".
A remote unauthenticated attacker can exploit this vulnerability by leveraging knowledge of the private key obtained from another FortiSIEM installation or a firmware image. Successful exploitation grants SSH access to the supervisor as "tunneluser", with a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L), reflecting high attack complexity and primarily low availability impact.
Mitigation details are available in the Fortinet PSIRT advisory FG-IR-19-296 at https://fortiguard.fortinet.com/psirt/FG-IR-19-296.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6589
Vulnerability details
A use of hard-coded cryptographic key vulnerability in FortiSIEM version 5.2.6 may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user "tunneluser" by leveraging knowledge of the private key from another installation or…
more
a firmware image.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded private key enables remote unauthenticated SSH access to supervisor as tunneluser, directly facilitating initial access via external remote services.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-12 requires establishment and management of cryptographic keys, directly preventing the use of hard-coded private keys that enable unauthorized SSH access.
IA-5 mandates secure management of authenticators including SSH private keys, ensuring they are not hard-coded or default and are properly generated and protected.
AC-17 enforces authorization and protection mechanisms for remote access like SSH, limiting exposure to hard-coded key exploitation on the supervisor component.