Skip to content

Fixed: CVE-2019-5591 - FortiOS - Man-in-the-Middle #13436 #13438

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fixed: CVE-2019-5591 - FortiOS - Man-in-the-Middle #13436 #13438

wants to merge 1 commit into from
+224 −0

Conversation

Rukhnuddin786
Copy link

Fixed: CVE-2019-5591 - FortiOS - Man-in-the-Middle #13436

This pull request adds a comprehensive Nuclei template for CVE-2019-5591, a medium-severity default configuration vulnerability in FortiOS that allows for Man-in-the-Middle attacks on LDAP traffic.

This vulnerability is listed on CISA's Known Exploited Vulnerabilities (KEV) catalog and has been actively exploited by threat actors in ransomware campaigns, making its detection critical for organizations.

The template uses a multi-stage detection method, first fingerprinting a FortiOS device via its login page and then querying a legitimate API endpoint (/api/v2/monitor/system/status) to confirm the vulnerable version. This approach ensures high accuracy and avoids false positives.

  • Added CVE-2019-5591
  • References:
    • https://www.fortiguard.com/psirt/FG-IR-19-037
    • https://nvd.nist.gov/vuln/detail/CVE-2019-5591
    • https://www.cisa.gov/known-exploited-vulnerabilities-catalog (KEV Entry)
    • https://www.tenable.com/blog/frequently-asked-questions-about-iranian-cyber-operations (Threat Actor Exploitation)

/claim #13436
/attempt #13436

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

  • Shodan Query: cpe:"cpe:2.3:o:fortinet:fortios" or http.favicon.hash:945408572
  • Fofa Query: app="FORTINET-FortiGate" or icon_hash=945408572
  • Google Query: intitle:"FortiGate"

HTTP Matched Response Data Snippet:

The template triggers upon identifying a vulnerable version from the /api/v2/monitor/system/status endpoint.

{
  "serial": "FGT60E1234567890",
  "version": "v6.0.3,build0326,190104 (GA)",
  "hostname": "FortiGate-60E",
  "operating_mode": "normal"
}

@algora-pbc algora-pbc bot mentioned this pull request Sep 30, 2025
Open
@Rukhnuddin786
Copy link
Author

/attempt #13436

@pussycat0x
Copy link
Contributor

Hi @Rukhnuddin786, Thank you for your interest in contributing templates to the project. At this time, we require templates that demonstrate that demonstrate full exploitation rather than just detection. While this submission does not meet the requirements for the Bounty Program, but we can accept it as a version detection template for the Passive. Please let us know if you agree with this.

@Rukhnuddin786
Copy link
Author

Rukhnuddin786 commented Oct 1, 2025 via email

@varn0xe varn0xe mentioned this pull request Oct 2, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ritikchaddha ritikchaddha Awaiting requested review from ritikchaddha

Assignees

@pussycat0x pussycat0x

Labels
waiting for more info
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Rukhnuddin786 @pussycat0x