CVE-2019-5591 - FortiOS - Man-in-the-Middle 💰

[princechaddha]

Description:

FortiOS contains a default configuration vulnerability caused by improper LDAP server impersonation protection, letting unauthenticated attackers on the same subnet intercept sensitive information.

Severity: Medium (CVSS: 6.5)

Vulnerability Details:

• CVE ID: CVE-2019-5591
• CWE: CWE-306 (Missing Authentication for Critical Function)
• Affected Product: FortiOS (multiple versions)
• Attack Vector: Adjacent Network
• Authentication: None Required
• Impact: Information Disclosure (Man-in-the-Middle)

POC:

• https://www.fortiguard.com/psirt/FG-IR-19-037

KEV: True ✅

CISA KEV: Added 2021-11-03
Known Ransomware Campaign: Yes (exploited by Iranian threat actors)

EPSS Score: 0.02564 (84.995th percentile)

Shodan Query: cpe:"cpe:2.3:o:fortinet:fortios"

Exposure: ~472,971 hosts potentially exposed

---

Acceptance Criteria:
The template must include a complete POC and should not rely solely on version-based detection. Contributors must share vulnerable setup information or a testable instance by emailing templates@projectdiscovery.io. Providing a testable instance significantly reduces validation time and increases the chance of quicker rewards. Templates that are incomplete, invalid, or non-verifiable will not be accepted. Avoid submitting code templates for CVEs that can be detected using HTTP, TCP, or JavaScript only these are blocked by default and will not produce results. Exceptions may apply for certain cases. Do not submit AI-simulated vulnerable environments. To qualify for the bounty, the team must be able to fully validate the POC. If you have hosted a vulnerable environment for validation, send the details (IP or Docker setup) along with the PR number to templates[at]projectdiscovery.io

Note: This vulnerability has been actively exploited by Iranian threat actors and in ransomware campaigns. Requires network adjacency for exploitation.

---

References:

• https://www.fortiguard.com/psirt/FG-IR-19-037
• https://www.tenable.com/blog/frequently-asked-questions-about-iranian-cyber-operations
• https://www.hhs.gov/sites/default/files/iranian-threat-actors-and-healthcare.pdf
• https://cert-in.org.in/PDF/RANSOMWARE_Report_2022.pdf
• https://www.ic3.gov/media/news/2021/210527.pdf

You can check the FAQ for the Nuclei Templates Community Rewards Program here

[princechaddha]

/bounty $200

[algora-pbc]

💎 $200 bounty • ProjectDiscovery Bounty Available for CVE Template Contribution

Steps to Contribute:

• Claim attempt: Comment /attempt #13436 on this issue to claim attempt. Multiple participants can attempt, but only the first to submit a complete POC template along with full debug data will receive the reward similar to bug bounty programs.
• Write the Template: Create a high-quality Nuclei template for the specified CVE, following our Contribution Guidelines and Acceptance Criteria.
• Submit the Template: Open a pull request (PR) to projectdiscovery/nuclei-templates and include /claim #13436 in the PR body to claim the bounty.
• Receive Payment: Upon successful merge of your PR, you will receive 100% of the bounty through Algora.io within 2-5 days. Ensure you are eligible for payouts.

Thank you for contributing to projectdiscovery/nuclei-templates and helping us democratize security!

Acceptance Criteria: The template must include a complete POC and should not rely solely on version-based detection. Contributors must share vulnerable setup information or a testable instance by emailing templates@projectdiscovery.io. Providing a testable instance significantly reduces validation time and increases the chance of quicker rewards. Templates that are incomplete, invalid, or non-verifiable will not be accepted. Avoid submitting code templates for CVEs that can be detected using HTTP, TCP, or JavaScript only these are blocked by default and will not produce results. Exceptions may apply for certain cases. Do not submit AI-simulated vulnerable environments. To qualify for the bounty, the team must be able to fully validate the POC. If you have hosted a vulnerable environment for validation, send the details (IP or Docker setup) along with the PR number to templates[at]projectdiscovery.io

You can check the FAQ for the Nuclei Templates Community Rewards Program here.

Add a bounty • Share on socials

Attempt	Started (UTC)	Solution	Actions
🟢 @ye11oc4t	Oct 01, 2025, 03:23:11 PM	WIP
🟢 @naaa760	Oct 02, 2025, 07:06:46 AM	#13459	Reward
🟢 @Sushant6095	Oct 03, 2025, 09:09:30 AM	WIP
🟢 @theycaIImehades	Oct 03, 2025, 05:15:43 PM	WIP
🟢 @HeathKnowles	Sep 30, 2025, 07:33:24 AM	WIP
🟢 @SaikiranSurapalli17	Sep 30, 2025, 10:13:21 AM	WIP
🟢 @Rukhnuddin786	Sep 30, 2025, 01:15:31 PM	#13438	Reward

[HeathKnowles]

/attempt #13436

[SaikiranSurapalli17]

/attempt #13436

[ye11oc4t]

/attempt #13436

[naaa760]

/attempt #13436

[varn0xe]

/attempt #13436