Fortinet Warns of Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability

Published:

25 december 2025 om 08:22:00

Alert date:

25 december 2025 om 09:02:33

Source:

thehackernews.com

Network Infrastructure, Identity & Access, Zero-Day Vulnerabilities

Fortinet has observed active exploitation of CVE-2020-12812, a five-year-old authentication bypass vulnerability in FortiOS SSL VPN. The flaw allows users to successfully log in without being prompted for the second factor of authentication under certain configurations. Despite being patched years ago, the vulnerability is now being actively abused in the wild, indicating that many organizations may still be running vulnerable versions of FortiOS.

Technical details

CVE-2020-12812 is an improper authentication vulnerability in FortiOS SSL VPN that allows users to bypass two-factor authentication by changing the case of their username. The vulnerability occurs when 2FA is enabled in 'user local' setting with remote authentication (LDAP). The issue exists due to inconsistent case-sensitive matching between local and remote authentication - FortiGate treats usernames as case-sensitive while LDAP Directory does not. When username case doesn't match exactly, FortiGate fails to match against local user and checks other authentication policies, potentially authenticating via LDAP group without 2FA.

Mitigation steps:

Update to FortiOS 6.0.10, 6.2.4, 6.4.1 or later versions
Run command 'set username-case-sensitivity disable' for all local accounts on older versions
Run command 'set username-sensitivity disable' on FortiOS versions 6.0.13, 6.2.10, 6.4.7, 7.0.1 or later
Consider removing secondary LDAP Group if not required
Contact Fortinet support team if affected
Reset all credentials if evidence of admin or VPN users authenticated without 2FA is found

Affected products:

FortiOS SSL VPN
FortiGate
FortiOS versions prior to 6.0.10
FortiOS versions prior to 6.2.4
FortiOS versions prior to 6.4.1