Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability (CVE-2020-12812)

Overview:

Fortinet has issued a new advisory warning about active exploitation of an old vulnerability in FortiOS SSL VPN.
The vulnerability allows attackers to bypass Two-Factor Authentication (2FA) under certain configurations.

Although this issue was originally discovered in 2020, Fortinet has confirmed that it is now being actively exploited in the wild by multiple threat actors.
Who It Impacts:

This issue impacts organizations that:

• Use FortiGate firewalls
• Have SSL VPN, IPSEC VPN, or administrative access enabled
• Use Two-Factor Authentication (2FA) for local users
• Authenticate users via LDAP (Active Directory or similar)

Organizations running older or misconfigured FortiOS versions are at higher risk.

How It Impacts:

If vulnerable configurations are present, attackers can:

• Log in without completing 2FA
• Gain access to:
  • SSL VPN
  • IPSEC VPN
  • Administrative interfaces
• Potentially compromise the entire network perimeter

This happens because FortiGate treats usernames as case-sensitive, while LDAP does not.

Example:
If the real username is jsmith, logging in as JSmith or jsmiTh can bypass the local 2FA check and authenticate directly via LDAP.
CVE Details:

• CVE ID: CVE-2020-12812
• CVSS Score: 5.2 (Medium)
• Vulnerability Type: Improper Authentication
• Affected Component: FortiOS SSL VPN
• Issue Description:
  A user can bypass 2FA by changing the case of the username when LDAP authentication is used alongside local users with 2FA.

Conditions required for exploitation:

• Local users configured with 2FA on FortiGate
• Authentication backend set to LDAP
• Users belong to LDAP groups
• LDAP groups are used in firewall, VPN, or admin authentication policies

If these conditions exist, 2FA can be completely bypassed.
Recommendations:

Fortinet strongly recommends the following actions:

1. Apply Configuration Fix Immediately

Run the appropriate command based on your FortiOS version:

• If your organization has not deployed FortiOS 6.0.10, 6.2.4, 6.4.,1 to mitigate the issue, the following should be set on all local accounts:

  set username-case-sensitivity disable

• or on later versions (v6.0.13, v6.2.10, v6.4.7, v7.0.1 and above):

  set username-sensitivity disable

With username-sensitivity set to disabled, FortiGate will treat jsmith, JSmith, JSMITH and all possible combinations as identical and therefore prevent failover to any other misconfigured LDAP group setting.
2. Remove Unnecessary LDAP Groups

• Remove secondary LDAP authentication groups if they are not required
• This eliminates the attack path completely
  3. Review Authentication Logs
• Check for:
  • Admin or VPN logins without 2FA
  • Suspicious login patterns with mixed-case usernames
    4. Reset Credentials if Abuse Is Found

• Reset passwords for affected admin and VPN users
  Reference Link:

• https://thehackernews.com/2025/12/fortinet-warns-of-active-exploitation.html
• https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283