CISA Warns of Fortinet FortiOS Hard-Coded Credentials Vulnerability Exploited in Attacks

CISA has issued a critical warning regarding a Fortinet FortiOS vulnerability that poses significant risks to network security infrastructure. 

On June 25, 2025, CISA added CVE-2019-6693 to its Known Exploited Vulnerabilities (KEV) catalog, indicating that this hard-coded credentials flaw is being actively exploited in real-world attacks. 

Organizations using Fortinet FortiOS systems now face a mandatory remediation deadline of July 16, 2025, as mandated by federal cybersecurity directives.

Summary
1. CISA added CVE-2019-6693 to its Known Exploited Vulnerabilities catalog on June 25, 2025, confirming active exploitation of Fortinet FortiOS systems in real-world attacks.
2. The vulnerability involves hard-coded encryption keys that allows attackers to decrypt sensitive data from FortiOS configuration backup files.
3.Organizations using affected Fortinet FortiOS systems have until July 16, 2025, to implement vendor mitigations or discontinue product use.

Hard-Coded Credential Vulnerability

The inclusion of CVE-2019-6693 in CISA’s KEV catalog represents a significant escalation in the threat landscape surrounding Fortinet’s FortiOS operating system. 

This vulnerability, classified under CWE-798 (Use of Hard-coded Credentials), has demonstrated active exploitation patterns that prompted federal cybersecurity authorities to mandate an immediate organizational response. 

This vulnerability allows threat actors to decipher sensitive data contained within FortiOS configuration backup files through knowledge of the hard-coded encryption key. 

The exploitation mechanism relies on attackers gaining access to these backup files and then leveraging the predictable cryptographic key to decrypt sensitive configuration data.

The technical classification under CWE-798 indicates this vulnerability represents a broader category of security weaknesses where software contains hard-coded credentials that cannot be changed without modifying the source code. 

In the context of FortiOS systems, this means that default encryption keys used for configuration backups remain static and predictable across installations. 

Threat actors with knowledge of these keys can potentially access sensitive network configuration data, user credentials, and other critical security parameters stored within backup files.

The KEV catalog serves as the authoritative source for vulnerabilities that have been confirmed as exploited in the wild, making this designation particularly concerning for network defenders and cybersecurity professionals.

The addition of this Fortinet vulnerability underscores the critical nature of hard-coded credential weaknesses in enterprise network infrastructure. 

Federal agencies and critical infrastructure operators must treat this designation as a high-priority security concern requiring immediate attention and resource allocation.

Mitigations

Organizations operating Fortinet FortiOS systems must implement vendor-provided mitigations before the July 16, 2025, deadline established by CISA. 

The remediation requirements follow applicable Binding Operational Directive (BOD) 22-01 guidance for cloud services, emphasizing the federal government’s commitment to proactive vulnerability management across critical infrastructure sectors.

Network administrators should immediately consult Fortinet’s security advisory FG-IR-19-007 for specific mitigation procedures and patch availability. 

Organizations unable to implement adequate mitigations are directed to discontinue use of affected products until proper security measures can be established. 

This timeline reflects the serious nature of active exploitation and the potential for continued threat actor activity targeting vulnerable FortiOS installations across enterprise networks.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now