CVE-2019-6693 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2019-11-21

Added to CISA KEV: 2025-06-25 2043 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately upgrade FortiGate devices to patched versions (6.0.6+, 6.2.1+, or latest 5.6.x patch)
Audit all configuration backup files and assume any credentials contained within are compromised
Force password reset for all user accounts on affected FortiGate systems
Review and rotate any private keys and certificates stored in FortiGate configuration
Implement network segmentation to limit management interface exposure
Monitor for unauthorized access attempts using previously extracted credentials

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2019-6693 is a security vulnerability involving the use of a hard-coded cryptographic key within Fortinet products, specifically affecting how sensitive data is encrypted in configuration backup files ^[1] ^[2].

Attack Method and Requirements

Method: The vulnerability stems from the use of a hard-coded symmetric key to encrypt sensitive information (such as passwords and private keys) within FortiOS configuration backup files ^[1] ^[4].
Requirements: An attacker must first obtain a copy of the configuration backup file ^[2]. Once in possession of this file, they can use the known hard-coded key to decrypt the sensitive data contained within it ^[4].
Access: This is generally considered an offline attack; it does not require active network exploitation of a running device, but rather access to the configuration file itself ^[2].

Impact

Successful exploitation allows an attacker to decrypt sensitive information stored in the configuration backup, including:

Non-administrator user passwords ^[4].
Private keys ^[4].
High Availability (HA) passwords ^[4].

Exploitation and Availability

Active Exploitation: The vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog ^[2].
Tool Availability: Proof-of-concept scripts and tools designed to decrypt FortiGate configuration files using this vulnerability are publicly available on platforms like GitHub ^[3] ^[4].

Affected Products and Mitigation

Affected Versions: The vulnerability affects older versions of FortiOS, including versions prior to 6.2.0, 6.0.0 through 6.0.6, and 5.6.10 ^[3].
Status: This issue was addressed by Fortinet through security patches released in 2019 ^[1]. Users of affected legacy systems are advised to upgrade to patched versions to mitigate the risk ^[5].

Sources

Hardcoded symmetric key in fips.c - PSIRT | FortiGuard Labs
Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiOS, FortiManager and FortiAnalyzer may allow an attacker with access ... Acknowledgement Fortinet is pleased to thank Bart Dopheide (bart.dopheide@axians.com) for reporting CVE-2019-6693 as well as independen…
NVD - CVE-2019-6693
Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites. ... CVE-2019-6693 Detail. Description. Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup…
CVE-2019-6693 - Decrypt FortiGate configuration secrets - GitHub
For Fortigate VM/appliances below versions 6.2.0, 6.0.0 to 6.0.6, 5.6.10 configuration secrets are stored encrypted with a unique key.
FortiGate Password Decrypt Script - CVE-2019-6693 - GitHub
FortiGate Password Decrypt Script - CVE-2019-6693 🔐 An authorized remote user with access or knowledge of the standard encryption key could gain access and decrypt the FortiOS backup files and all non-administrator passwords, private keys, and High Availability (HA) passwords.
FortiOS CVE-2019-6693: A known vulnerability affecting older ...
CVE-2019-6693 is a known vulnerability affecting older FortiOS versions, particularly 5.6.x and 6.0.x. It was patched by Fortinet back in ...

🟡 CVE-2019-6693