top of page
perceptive_background_267k.jpg

Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass

Published:

2 January 2026 at 16:01:55

Alert date:

2 January 2026 at 17:02:22

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Identity & Access, Critical Infrastructure

Over 10,000 Internet-exposed Fortinet firewalls remain vulnerable to a five-year-old two-factor authentication bypass vulnerability that is being actively exploited by attackers. The vulnerability allows threat actors to bypass 2FA protections on affected Fortinet devices, potentially granting unauthorized access to corporate networks. Despite the age of the vulnerability, thousands of organizations have failed to apply necessary patches, leaving their infrastructure exposed to ongoing attacks. The widespread exposure of these critical network security devices represents a significant risk to organizational security postures.

Technical details

CVE-2020-12812 is an improper authentication security flaw rated 9.8/10 in severity found in FortiGate SSL VPN. The vulnerability allows attackers to bypass two-factor authentication (FortiToken) by changing the case of the username when logging into unpatched firewalls. The vulnerability requires LDAP (Lightweight Directory Access Protocol) to be enabled on vulnerable configurations. Over 10,000 Fortinet firewalls are currently exposed online and vulnerable to ongoing attacks exploiting this five-year-old vulnerability.

Mitigation steps:

Update to FortiOS versions 6.4.1, 6.2.4, or 6.0.10 released in July 2020. For administrators who cannot immediately patch, turn off username-case-sensitivity to block 2FA bypass attempts. U.S. federal agencies were ordered to secure their systems by May 2022.

Affected products:

FortiGate SSL VPN
FortiOS (versions prior to 6.4.1
6.2.4
and 6.0.10)
FortiWeb
FortiCloud SSO devices

Related links:

https://nvd.nist.gov/vuln/detail/cve-2020-12812
https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12812
http://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities

Related CVE's:

Related threat actors:

IOC's:

Over 10,000 exposed Fortinet firewall IP addresses globally, Over 1,300 vulnerable IP addresses in the United States

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page