What happened

CISA added CVE-2019-6693 (Fortinet FortiOS) to the Known Exploited Vulnerabilities (KEV) catalog on 2025-06-25, signaling in-the-wild exploitation and a required remediation window for federal networks CISA KEV. The vulnerability is classified as Use of Hard-Coded Credentials (CWE-798) affecting FortiOS configuration backup handling NVD CVE-2019-6693. The KEV entry instructs organizations to apply vendor mitigations per guidance or discontinue use where mitigations are unavailable, and sets a due date of 2025-07-16 for federal agencies CISA KEV. CISA also flags this CVE as used in ransomware campaigns, placing it in the high-priority triage tier for defenders CISA KEV.

Why it matters

Hard-coded credentials and cryptographic keys create a single, predictable secret across deployments, which undermines confidentiality and makes post-compromise data processing trivial once the secret is known NVD CVE-2019-6693. In this case, FortiOS configuration backup files are at risk because knowledge of the hard-coded key enables an attacker to process sensitive contents protected by that key MITRE CVE-2019-6693. When a firewall/router configuration archive is exposed or stolen, threat actors can mine it for network details and credentials, amplifying lateral movement and persistence opportunities, which aligns with why CISA elevates it into the KEV for active exploitation pressure CISA KEV.

Technical detail

CVE-2019-6693 maps to CWE-798 (Use of Hard-Coded Credentials), indicating that FortiOS employs a built-in credential or key in a way that impacts the security of configuration backup files NVD CVE-2019-6693. Per the public record, attackers with knowledge of the hard-coded key can "cipher" sensitive data within FortiOS configuration backup files—i.e., process the data using that key—undermining the protection expected for those backups MITRE CVE-2019-6693. Because KEV inclusion requires evidence of exploitation, defenders should assume adversaries are actively targeting, obtaining, and leveraging FortiOS configuration backups in the wild CISA KEV.

The vulnerability’s impact scope centers on the confidentiality of data inside configuration backups that are protected with the hard-coded key NVD CVE-2019-6693. An adversary does not need bespoke cracking if the key or credential is constant; once the backup file is acquired, the processing step becomes deterministic and fast, which is consistent with automated post-exploitation workflows MITRE CVE-2019-6693. KEV classification and the ransomware-use flag further indicate operationalized abuse rather than proof-of-concept-only activity CISA KEV.

Defense

• Immediate action: follow KEV guidance—apply vendor mitigations, and if mitigations are not available, remove affected instances from service by the KEV due date (2025-07-16) CISA KEV.
• Treat FortiOS configuration backups as high-sensitivity artifacts; enforce access controls and monitoring around their creation, storage, and transfer paths, given the key-based processing risk described in the CVE entry NVD CVE-2019-6693.
• Assume backups obtained prior to mitigation may be compromised; rotate secrets and credentials that could be present in or derived from those backups, aligning with standard remediation after a hard-coded credential exposure MITRE CVE-2019-6693.
• Detection priorities: monitor for configuration export/download activity spikes and unexpected backup movements across your management networks; KEV status indicates real-world exploitation pressure that often includes data theft of device configs CISA KEV.

Lyrie Verdict

CVE-2019-6693 is tailor-made for automated adversaries: once a FortiOS configuration backup is exfiltrated, a static key eliminates computational friction—processing is immediate and scripted NVD CVE-2019-6693. With CISA confirming active exploitation and ransomware use, defenders must assume machine-speed collection-and-processing loops are in play CISA KEV. Lyrie’s position: don’t wait for human-in-the-loop triage. Enforce autonomous controls that 1) continuously fingerprint and watch for FortiOS configuration export patterns, 2) auto-isolate management planes on anomalous backup activity, and 3) flag downstream use of known hard-coded-key workflows on captured artifacts. Our anti-rogue-AI stack focuses on preempting the exfil-to-decode pipeline in seconds, not hours, by correlating config-backup access with immediate data-processing signals consistent with CWE-798 abuse MITRE CVE-2019-6693.