Critical Flaw Exposes 10K+ Fortinet Firewalls to 2FA Bypass
▼ Summary
– Over 10,000 Fortinet firewalls remain exposed online and vulnerable to attacks exploiting a critical 2020 two-factor authentication bypass flaw (CVE-2020-12812).
– The vulnerability, rated 9.8/10 in severity, allows attackers to log into unpatched SSL VPN firewalls without a second authentication factor by changing the username’s case.
– Fortinet recently warned that attackers are still actively exploiting this flaw, particularly targeting firewalls with LDAP enabled.
– U.S. cybersecurity agencies have previously linked this vulnerability to state-sponsored hacking and ransomware attacks, mandating federal agencies to patch it.
– Fortinet devices are frequent targets, with other recent critical vulnerabilities also being actively exploited by threat actors.
A significant number of Fortinet firewalls remain at risk due to a critical security flaw that allows attackers to bypass two-factor authentication. More than 10,000 Fortinet firewalls are currently exposed online, vulnerable to ongoing attacks that exploit this five-year-old vulnerability. The issue, identified as CVE-2020-12812, is an improper authentication flaw within FortiGate SSL VPN systems. It enables attackers to log in without providing the required second authentication factor, such as a FortiToken, simply by altering the case of a username. Fortinet originally addressed the problem in July 2020 with updates to FortiOS versions 6.4.1, 6.2.4, and 6.0.10, advising administrators who could not patch immediately to disable username-case-sensitivity as a temporary defensive measure.
Despite these warnings and available fixes, the threat persists. Fortinet recently alerted customers that attackers are actively targeting devices with vulnerable configurations, specifically those that have LDAP (Lightweight Directory Access Protocol) enabled. The company confirmed it has observed recent abuse of this vulnerability in real-world attacks. Security monitoring organization Shadowserver reported the alarming scale of the exposure, tracking over 10,000 unpatched firewalls accessible from the internet. Over 1,300 of these vulnerable IP addresses are located within the United States, highlighting a widespread security concern.
This vulnerability has a long history of exploitation by sophisticated threat actors. In April 2021, U.S. cybersecurity agencies CISA and the FBI warned that state-sponsored hacking groups were leveraging exploits for multiple FortiOS flaws, including CVE-2020-12812, to bypass two-factor authentication. By November of that year, CISA had added the flaw to its catalog of known exploited vulnerabilities, noting its use in ransomware campaigns and mandating that federal agencies secure their systems by May 2022.
Fortinet’s products are frequently targeted in cyberattacks, often before patches are widely available. For example, in December 2024, cybersecurity firm Arctic Wolf reported that threat actors were already abusing a critical authentication bypass flaw, tracked as CVE-2025-59718, to take over administrator accounts through malicious single sign-on logins. Just one month prior, Fortinet had warned about an actively exploited zero-day in FortiWeb (CVE-2025-58034), followed by confirmation a week later that it had quietly patched a second FortiWeb zero-day (CVE-2025-64446) used in widespread attacks.
The pattern of exploitation underscores the persistent targeting of network perimeter devices. In a notable incident from February 2025, Fortinet disclosed that the Chinese state-sponsored group known as Volt Typhoon had used two older FortiOS vulnerabilities, CVE-2023-27997 and CVE-2022-42475, to implant a custom backdoor called Coathanger on a Dutch military network. This ongoing cycle of discovery, exploitation, and patching emphasizes the critical need for organizations to apply security updates promptly and maintain vigilant monitoring of their network infrastructure.
(Source: Bleeping Computer)
