⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2019-5591Missing Authentication for Critical Function in Fortinet Fortios

CWE-306Missing Authentication for Critical FunctionCWE-200Sensitive Information Exposure8 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
48.4%
top 2.25%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Fortinet FortiosFortinet Fortios
Timeline
PublishedAug 14
KEV addedNov 3
KEV dueMay 3
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDfortinet/fortios6.2.0
CVEListV5fortinet/fortinet_fortiosFortiOS 6.2.0 and below.

🔴Vulnerability Details

3
GHSA
GHSA-p9g8-h33v-mg42: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impers2022-05-24
CVEList
CVE-2019-5591: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impers2020-08-14
VulnCheck
Fortinet FortiOS Default Configuration Vulnerability2019

💥Exploits & PoCs

1
Nuclei
FortiOS - Insecure LDAP Configuration Detection

📋Vendor Advisories

2
CISA
Fortinet FortiOS Default Configuration Vulnerability2021-11-03
Fortinet
A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept s...2020-08-14
CVE-2019-5591 — Fortinet Fortios vulnerability | cvebase