Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass

Published:

2 januari 2026 om 16:01:55

Alert date:

2 januari 2026 om 17:02:22

Source:

bleepingcomputer.com

Network Infrastructure, Identity & Access, Critical Infrastructure

Over 10,000 Internet-exposed Fortinet firewalls remain vulnerable to a five-year-old two-factor authentication bypass vulnerability that is being actively exploited by attackers. The vulnerability allows threat actors to bypass 2FA protections on affected Fortinet devices, potentially granting unauthorized access to corporate networks. Despite the age of the vulnerability, thousands of organizations have failed to apply necessary patches, leaving their infrastructure exposed to ongoing attacks. The widespread exposure of these critical network security devices represents a significant risk to organizational security postures.

Technical details

CVE-2020-12812 is an improper authentication security flaw rated 9.8/10 in severity found in FortiGate SSL VPN. The vulnerability allows attackers to bypass two-factor authentication (FortiToken) by changing the case of the username when logging into unpatched firewalls. The vulnerability requires LDAP (Lightweight Directory Access Protocol) to be enabled on vulnerable configurations. Over 10,000 Fortinet firewalls are currently exposed online and vulnerable to ongoing attacks exploiting this five-year-old vulnerability.

Mitigation steps:

Update to FortiOS versions 6.4.1, 6.2.4, or 6.0.10 released in July 2020. For administrators who cannot immediately patch, turn off username-case-sensitivity to block 2FA bypass attempts. U.S. federal agencies were ordered to secure their systems by May 2022.

Affected products:

FortiGate SSL VPN
FortiOS (versions prior to 6.4.1
6.2.4
and 6.0.10)
FortiWeb
FortiCloud SSO devices