CVE-2019-5591
published 2020-08-14CVE-2019-5591: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating…
PriorityP182medium6.5CVSS 3.1
AVAACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
18.57%
96.9th percentile
A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet_fortios | — | — |
| fortinet | fortios | <= 6.2.0 | — |
| fortinet | fortios | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
id: CVE-2019-5591
info:
name: FortiOS - Insecure LDAP Configuration Detection
author: ayewo
severity: medium
description: |
The FortiGate LDAP configuration was detected to be insecure due to missing ca-cert, secure LDAPS, or server-identity-check, potentially exposing LDAP communications to credential interception or man-in-the-middle attacks under specific network conditions.
impact: |
Unauthenticated attackers can intercept sensitive information by impersonating LDAP servers within the same subnet.
remediation: |
Configure LDAP server settings properly and disable default configurations; update to the latest firmware version.
reference:
- https://github.com/ayewo/fortios-ldap-mitm-poc-CVE-2019-5591
- https://www.fortiguard.com/psirt/FG-IR-19-037
classification:
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2019-5591
epss-score: 0.4836
epss-percentile: 0.97747
cpe: cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: fortinet
product: fortigate
shodan-query: 'cpe:"cpe:2.3:o:fortinet:fortios"'
tags: cve,cve2019,fortinet,ldap,kev,vkev,oast
variables:
username: "{{rand_text_alpha(10)}}"
password: "{{rand_text_alphanumeric(12)}}"
http:
- raw:
- |
GET /login HTTP/1.1
Host: {{Hostname}}
- |
POST /logincheck HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain;charset=UTF-8
ajax=1&username={{username}}&secretkey={{interactsh-url}}
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- 'name="username"'
- 'name="secretkey"'
condition: and
- type: status
status:
- 200
- type: dsl
dsl:
- contains(body_2, "0")
- contains(body_2, "1")
- contains(body_2, "2")
condition: or
- type: word
part: body_2
words:
- "ajax=1&username="
condition: or
negative: true
- type: word
part: interactsh_protocol
words:
- "dns"
- "http"- →Detect CVE-2019-5591 exploitation attempts by monitoring for POST requests to /logincheck with Content-Type: text/plain;charset=UTF-8 and body containing 'ajax=1&username=' directed at FortiGate devices. ↗
- →Monitor for APT scanning activity against FortiGate devices on ports 4443, 8443, and 10443, which were observed as enumeration ports used by APT actors targeting CVE-2019-5591 and related Fortinet vulnerabilities. ↗
- →Detect vulnerable FortiOS instances using Shodan query for the FortiOS CPE string, as used in the Nuclei template for CVE-2019-5591. ↗
- →Detect LDAP MitM exploitation of CVE-2019-5591 by monitoring for LDAP connection requests to FortiGate devices from unexpected hosts on the same subnet, indicative of an attacker impersonating an LDAP server. ↗
- →Use the OOB/interactsh callback on the 'secretkey' parameter in the /logincheck POST body as a detection signal; a DNS or HTTP callback indicates the FortiGate device is processing the LDAP server address from user-supplied input without certificate verification. ↗
- ·CVE-2019-5591 is a default configuration flaw — FortiOS does not verify the LDAP server certificate by default (missing ca-cert, secure LDAPS, or server-identity-check), enabling MitM interception of LDAP credentials on the same subnet. ↗
- ·Exploitation requires the attacker to be on the same subnet as the FortiGate device; remote unauthenticated exploitation from the internet is not possible for this specific CVE. ↗
- ·The Nuclei detection template uses an OOB (interactsh) callback via the 'secretkey' field in the /logincheck endpoint; this is a probe technique and not a direct exploitation payload — results should be correlated with LDAP configuration inspection. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.03.3LOWAV:A/AC:L/Au:N/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Fortinet FortiOS Default Configuration Vulnerability
cisa·2021-11-03·CVSS 6.5
CVE-2019-5591 [MEDIUM] CWE-306 Fortinet FortiOS Default Configuration Vulnerability
Vulnerability: Fortinet FortiOS Default Configuration Vulnerability
Affected: Fortinet FortiOS
Fortinet FortiOS contains a default configuration vulnerability that may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the Lightweight Directory Access Protocol (LDAP) server.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-5591
Remediation Due Date: 2022-05-03
Fortinet
A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept s...
vendor_fortinet·2020-08-14·CVSS 6.5
CVE-2019-5591 [MEDIUM] CWE-306 A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept s...
FG-IR-19-037: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept s...
A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
CVEs: CVE-2019-5591
CWEs: CWE-306
CVSS: 6.5 (medium)
Affected products: FortiOS
GHSA
GHSA-p9g8-h33v-mg42: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impers
ghsa_unreviewed·2022-05-24
CVE-2019-5591 [MEDIUM] CWE-200 GHSA-p9g8-h33v-mg42: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impers
A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
VulnCheck
Fortinet FortiOS Default Configuration Vulnerability
vulncheck·2019·CVSS 6.5
CVE-2019-5591 [MEDIUM] CWE-306 Fortinet FortiOS Default Configuration Vulnerability
Fortinet FortiOS Default Configuration Vulnerability
Fortinet FortiOS contains a default configuration vulnerability that may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the Lightweight Directory Access Protocol (LDAP) server.
Affected: Fortinet FortiOS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.ic3.gov/media/news/2021/210402.pdf; https://www.ic3.gov/media/news/2021/210527.pdf; https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://us-cert.cisa.gov/ncas/alerts/aa21-321a; https://cisa.gov/news-events/cybersecurity-advisories/aa21-321a;
No detection rules found.
Nuclei
FortiOS - Insecure LDAP Configuration Detection
nuclei·CVSS 6.5
CVE-2019-5591 [MEDIUM] FortiOS - Insecure LDAP Configuration Detection
FortiOS - Insecure LDAP Configuration Detection
The FortiGate LDAP configuration was detected to be insecure due to missing ca-cert, secure LDAPS, or server-identity-check, potentially exposing LDAP communications to credential interception or man-in-the-middle attacks under specific network conditions.
Template:
id: CVE-2019-5591
info:
name: FortiOS - Insecure LDAP Configuration Detection
author: ayewo
severity: medium
description: |
The FortiGate LDAP configuration was detected to be insecure due to missing ca-cert, secure LDAPS, or server-identity-check, potentially exposing LDAP communications to credential interception or man-in-the-middle attacks under specific network conditions.
impact: |
Unauthenticated attackers can intercept sensitive information by impersonating LDAP server
Tenable
Frequently Asked Questions About Iranian Cyber Operations
blogs_tenable·2025-06-27
Frequently Asked Questions About Iranian Cyber Operations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
blogs_tenable·2025-01-14·CVSS 9.8
[CRITICAL] CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability
blogs_tenable·2024-02-09·CVSS 9.8
[CRITICAL] CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated Attacks
blogs_tenable·2022-09-15
AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated Attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
blogs_tenable·2021-08-25
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
How Risk-based Vulnerability Management Can Help Address the Most Commonly Exploited Vulnerabilities Today
blogs_tenable·2021-07-30
How Risk-based Vulnerability Management Can Help Address the Most Commonly Exploited Vulnerabilities Today
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
blogs_qualys·2021-07-29·CVSS 10.0
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
#### Table of Contents
- Top Routinely Exploited Vulnerabilities
- Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
- Recommendations
- Remediation and Mitigation
- Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the large
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities
blogs_qualys·2021-07-29·CVSS 9.1
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities
## Table of Contents
Top Routinely Exploited Vulnerabilities
Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
Recommendations
Remediation and Mitigation
Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest numbe
Fortinet
Prioritizing Patching is Essential for Network Integrity
blogs_fortinet·2021-06-01·CVSS 9.1
[CRITICAL] Prioritizing Patching is Essential for Network Integrity
PSIRT BLOGS
Prioritizing Patching is Essential for Network Integrity
By Carl Windsor | June 01, 2021
Regarding the FBI - CISA/NCSC alerts of FortiGate SSL-VPN vulnerabilities being exploited in the wild
A recent FBI advisory outlined that foreign hackers had gained access to a local US municipal government network after exploiting vulnerabilities in an unpatched Fortinet networking appliance.
This advisory, however, was not the result of cybercriminals targeting a newly identified security issue. The sad fact is, fixes for these vulnerabilities had been shared with affected customers over two years ago. This and similar incidents highlight that the failure to patch vulnerable systems still represents one of the most critical security gaps in many organizations and is responsible for th
Zscaler
Reduce Business Risk by Eliminating the VPN Attack Surface
blogs_zscaler·2021-05-27
Reduce Business Risk by Eliminating the VPN Attack Surface
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Tenable
CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT Actors
blogs_tenable·2021-04-08·CVSS 9.1
[CRITICAL] CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT Actors
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Patch and Vulnerability Management | Fortinet
blogs_fortinet·2021-04-03·CVSS 6.5
[MEDIUM] Patch and Vulnerability Management | Fortinet
PSIRT BLOGS
Patch and Vulnerability Management
By Carl Windsor | April 03, 2021
In May 2019, Fortinet issued a PSIRT advisory regarding an SSL vulnerability that had been identified by a third party research team and which we resolved. As part of this process, we issued a Customer Support Bulletin (CSB-200716-1) to highlight the need for customers to upgrade their affected systems. We also published a blog about this for our customers in August 2019 when this vulnerability was made public post-resolution at Black Hat in August 2019. Over a year later , the UK NCSC shared that these same vulnerabilities were still being targeted in the wild, and we published another blog in July 2020 and then another in November 2020 with the goal of continuing to educate and communicate with our customer
2020-08-14
Published
2021-11-03
Added to CISA KEV
Exploited in the wild