Cyber Resilience

CVE-2019-5591

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 14 August 2020

Published
14 August 2020
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.5055 97.9th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-5591 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Fortinet Fortios. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-9 (Service Identification and Authentication) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2019-5591 is a default configuration vulnerability affecting FortiOS that stems from missing authentication for a critical function (CWE-306). It enables an attacker to impersonate an LDAP server and thereby expose sensitive information exchanged during authentication or directory lookups.

An unauthenticated attacker positioned on the same local subnet can exploit the issue with low attack complexity. Successful exploitation allows interception of sensitive data, corresponding to the CVSS 6.5 rating that reflects adjacent-network access and high confidentiality impact without requiring privileges or user interaction.

The FortiGuard advisory FG-IR-19-037 addresses the issue, and the vulnerability appears in CISA’s catalog of known exploited vulnerabilities, indicating confirmed real-world exploitation activity.

EU & UK References

Vulnerability details

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortios
≤ 6.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification and authentication of services such as the LDAP server, directly blocking unauthenticated impersonation on the local subnet.

prevent

Mandates cryptographic protection of LDAP traffic confidentiality and integrity, preventing interception of sensitive authentication data.

prevent

Enforces authentication and access decisions before allowing LDAP directory lookups or credential exchange.

References