⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.. Due date: 2025-07-16.
CVE-2019-6693 — Hard-coded Credentials in Fortinet Fortios
Severity
6.5MEDIUMNVD
EPSS
72.2%
top 1.24%
CISA KEV
KEVRansomware
Added 2025-06-25
Due 2025-07-16
Exploit
No known exploits
Affected products
Timeline
PublishedNov 21
KEV addedJun 25
KEV dueJul 16
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Description
Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set).
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages2 packages
🔴Vulnerability Details
3GHSA▶
GHSA-hx92-84x6-67mx: Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup fi↗2022-05-24
CVEList▶
CVE-2019-6693: Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup fi↗2019-11-21