CVE-2019-17659

Low

Published: 17 March 2025

Published

17 March 2025

Modified

15 July 2025

KEV Added

—

Patch

—

CVSS Score 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score 0.0052 66.8th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-17659 is a low-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Fortinet Fortisiem. Its CVSS base score is 3.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked in the top 33.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to External Remote Services (T1133). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-12 Cryptographic Key Establishment and Management good match

prevent

SC-12 requires establishment and management of cryptographic keys, directly preventing the use of hard-coded private keys that enable unauthorized SSH access.

IA-5 Authenticator Management good match

prevent

IA-5 mandates secure management of authenticators including SSH private keys, ensuring they are not hard-coded or default and are properly generated and protected.

AC-17 Remote Access partial match

prevent

AC-17 enforces authorization and protection mechanisms for remote access like SSH, limiting exposure to hard-coded key exploitation on the supervisor component.

MITRE ATT&CK Enterprise TechniquesAI

T1133 External Remote Services Persistence

Adversaries may leverage external-facing remote services to initially access and/or persist within a network.

attack.mitre.org →

Why these techniques?

Hardcoded private key enables remote unauthenticated SSH access to supervisor as tunneluser, directly facilitating initial access via external remote services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A use of hard-coded cryptographic key vulnerability in FortiSIEM version 5.2.6 may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user "tunneluser" by leveraging knowledge of the private key from another installation or…

a firmware image.

Deeper analysisAI

CVE-2019-17659 is a use of hard-coded cryptographic key vulnerability (CWE-798) in FortiSIEM version 5.2.6. The issue stems from a hard-coded private key that enables SSH access to the supervisor component as the restricted user "tunneluser".

A remote unauthenticated attacker can exploit this vulnerability by leveraging knowledge of the private key obtained from another FortiSIEM installation or a firmware image. Successful exploitation grants SSH access to the supervisor as "tunneluser", with a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L), reflecting high attack complexity and primarily low availability impact.

Mitigation details are available in the Fortinet PSIRT advisory FG-IR-19-296 at https://fortiguard.fortinet.com/psirt/FG-IR-19-296.

Details

CWE(s): CWE-798

Affected Products

fortinet

fortisiem

≤ 5.2.7

CVEs Like This One

CVE-2023-40723Same product: Fortinet Fortisiem

CVE-2025-64155Same product: Fortinet Fortisiem

CVE-2024-46667Same product: Fortinet Fortisiem

CVE-2025-25256Same product: Fortinet Fortisiem

CVE-2026-22153Same vendor: Fortinet

CVE-2023-37936Same vendor: Fortinet

CVE-2024-27778Same vendor: Fortinet

CVE-2024-48885Same vendor: Fortinet

CVE-2024-52960Same vendor: Fortinet

CVE-2023-25610Same vendor: Fortinet

References

https://fortiguard.fortinet.com/psirt/FG-IR-19-296
Vendor Advisory · psirt@fortinet.com