top of page
perceptive_background_267k.jpg

Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks

Published:

29 december 2025 om 11:16:03

Alert date:

29 december 2025 om 12:02:09

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Identity & Access

Fortinet warns that threat actors are actively exploiting a critical 5-year-old FortiOS vulnerability that allows bypassing two-factor authentication on FortiGate firewalls. The vulnerability remains unpatched on many systems and continues to be exploited in ongoing attacks. Organizations using FortiGate firewalls are at risk of unauthorized access despite having 2FA enabled. This represents a significant security concern as 2FA is considered a critical security control. The persistent exploitation of this old vulnerability highlights the importance of timely patching and system updates.

Technical details

CVE-2020-12812 is an improper authentication security flaw in FortiGate SSL VPN that enables attackers to bypass two-factor authentication by changing the case of the username. The vulnerability occurs when 2FA is enabled in 'user local' setting and user authentication type is set to a remote authentication method like LDAP. The issue exists due to inconsistent case sensitive matching among local and remote authentication. To be vulnerable, organizations must have local user entries requiring 2FA linked to LDAP, with users belonging to an LDAP group configured on the FortiGate.

Mitigation steps:

Update to FortiOS versions 6.4.1, 6.2.4, or 6.0.10 or later
Turn off username-case-sensitivity if unable to deploy security update
Remove secondary LDAP Group if not required
Review and properly configure LDAP group settings
Federal agencies must secure systems by May 2022 per CISA directive

Affected products:

FortiOS versions prior to 6.4.1
6.2.4
and 6.0.10
FortiGate SSL VPN
FortiGate firewalls
FortiWeb

Related links:

https://nvd.nist.gov/vuln/detail/cve-2020-12812
https://www.fortiguard.com/psirt/FG-IR-19-283
https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283
https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-state-hackers-attacking-fortinet-fortios-servers/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12812
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortiweb-zero-day-exploited-in-attacks/
https://www.bleepingcomputer.com/news/security/fortinet-confirms-silent-patch-for-fortiweb-zero-day-exploited-in-attacks/
https://x.com/CERTCyberdef/status/1989311517611733454

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page