Threats / Fortinet / CVE-2019-5591
CVE-2019-5591
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Fortinet FortiOS vulnerability
Fortinet FortiOS contains a default configuration vulnerability allowing unauthenticated attackers on the same subnet to impersonate LDAP servers and intercept sensitive information.
Verdict
Today item — known-exploited.
An unauthenticated network-adjacent attacker can exploit default FortiOS configuration to perform LDAP server impersonation attacks, enabling interception of credentials and sensitive data transmitted during authentication flows.
01
Is it exploitable?
— the evidence, ranked above the scoreReported exploitation
15 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03).
Probability (EPSS)
EPSS 0.18566 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Fortinet, FortiOS. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-306 Missing Authentication — weakness family: Authentication.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I position myself on the target network segment and passively observe LDAP authentication traffic.
Business
Attacker gains visibility into authentication patterns and identifies systems relying on LDAP services.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I respond to LDAP requests by impersonating a legitimate directory server using the default configuration.
Business
Legitimate clients redirect their authentication attempts to the attacker-controlled endpoint.
3
Lateral reach — past segmentation narrative 3
Attacker
I capture credentials and sensitive directory information transmitted by clients during the spoofed authentication exchange.
Business
Attacker obtains valid user credentials and organizational directory data without detection.
4
Data at risk — exfiltration narrative 4
Attacker
I use harvested credentials to access internal systems and escalate my position within the network.
Business
Organization experiences unauthorized access to systems, data exfiltration, and potential lateral movement by attacker.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05