Cyber Resilience

CVE-2019-6693

MediumCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 21 November 2019

Published
21 November 2019
Modified
24 October 2025
KEV Added
25 June 2025
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.7222 98.8th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-6693 is a medium-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Fortinet Fortios. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-28 (Protection of Information at Rest).

Deeper analysis

CVE-2019-6693 is a use of hard-coded cryptographic key vulnerability (CWE-798) affecting FortiOS configuration backup files. The flaw stems from encryption of sensitive data using a static key embedded in the software, allowing decryption of the resulting backup if an attacker obtains the file and knows the key. Impacted data includes non-administrator user passwords, private key passphrases, and the High Availability password when configured.

An attacker with access to a FortiOS configuration backup can recover the protected values by applying the known hard-coded key. The CVSS 6.5 rating reflects network attack vector, low complexity, and low privileges required, with the impact limited to confidentiality of the specified sensitive fields.

The issue is tracked in Fortinet advisory FG-IR-19-007 and appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation.

EU & UK References

Vulnerability details

Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data…

more

includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set).

CWE(s)
KEV Date Added
25 June 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortios
6.2.0 · ≤ 5.6.10 · 6.0.0 — 6.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires proper cryptographic key establishment and management, eliminating the use of hard-coded static keys for encrypting backup files.

prevent

Mandates cryptographic protection of information at rest, ensuring backup files containing passwords and passphrases cannot be decrypted with a known static key.

prevent

Requires use of approved cryptographic modules and algorithms, which precludes embedding a single hard-coded key in the product.

References