5-Year-Old FortiOS 2FA Flaw Actively Exploited, Fortinet Warns
▼ Summary
– Fortinet warns that a critical 2020 vulnerability (CVE-2020-12812) allowing 2FA bypass on FortiGate firewalls is still being actively exploited.
– The flaw lets attackers log in without a second authentication factor by changing the case of the username when specific LDAP and local user configurations are in place.
– Fortinet patched the issue in July 2020 and advised administrators to either update their systems or disable username-case-sensitivity as a workaround.
– U.S. cybersecurity agencies have previously linked this vulnerability to state-backed hackers and ransomware attacks, adding it to a catalog of known exploited flaws.
– This incident is part of a pattern where Fortinet vulnerabilities, including recent zero-days in FortiWeb products, are frequently targeted by threat actors.
Organizations relying on Fortinet FortiGate firewalls for network security face an ongoing threat, as a critical vulnerability from 2020 is still being actively exploited by attackers. This flaw allows threat actors to bypass two-factor authentication (2FA) protections, gaining unauthorized access to vulnerable systems. The persistence of this issue highlights the critical need for consistent patch management and configuration review in enterprise security environments.
The vulnerability, identified as CVE-2020-12812, is an improper authentication flaw within FortiGate SSL VPN. It enables attackers to log into unpatched firewalls without providing the required second authentication factor, such as a FortiToken. The bypass occurs when a user changes the case of their username during login attempts. Fortinet originally addressed this issue in July 2020, explaining that the problem stemmed from inconsistent case-sensitive matching between local and remote authentication methods. The company released patches in FortiOS versions 6.4.1, 6.2.4, and 6.0.10 at that time.
Despite the availability of fixes for over five years, Fortinet recently confirmed that malicious actors continue to exploit this vulnerability in active campaigns. The attacks specifically target firewalls with LDAP (Lightweight Directory Access Protocol) enabled. For an organization to be vulnerable, several specific conditions must be in place. There must be local user entries on the FortiGate that are configured for two-factor authentication and linked to an LDAP source. Furthermore, these users must belong to an LDAP group that is also configured on the firewall itself.
Fortinet’s recent advisory notes that part of the problem involves a specific misconfiguration. “A secondary LDAP Group that is used when the local LDAP authentication fails” can create the opening for exploitation. The company recommends that if such a secondary group is not necessary, it should be removed entirely. If no LDAP groups are configured for authentication, the attack vector is effectively closed, as authentication will fail if the username does not match a local entry precisely.
This is not the first warning about the active abuse of this flaw. In April 2021, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert stating that state-sponsored hackers were targeting FortiOS instances using exploits for multiple vulnerabilities, including CVE-2020-12812 for 2FA bypass. Later that year, in November 2021, CISA formally added the vulnerability to its Known Exploited Vulnerabilities Catalog, noting its use in ransomware attacks and mandating federal agencies to patch their systems by May 2022.
The continued exploitation of this older flaw underscores a broader trend within the cybersecurity landscape. Fortinet products are frequently targeted by attackers, often through zero-day vulnerabilities. For example, in late 2024, the company warned customers about an actively exploited zero-day in FortiWeb (CVE-2025-58034), just one week after confirming it had silently patched another FortiWeb zero-day (CVE-2025-64446) that was being abused in widespread attacks. These incidents collectively emphasize the importance of vigilant security hygiene, including timely application of patches and rigorous configuration audits, to defend against both old and new threats.
(Source: Bleeping Computer)
