24.12.2025
2 min
430
Fortinet has reported active exploitation of an old but still dangerous vulnerability in FortiOS SSL VPN that allows attackers to bypass two-factor authentication under specific configurations. The flaw, tracked as CVE-2020-12812, abuses inconsistent username case handling and is once again being leveraged to gain unauthorized access to VPN and administrative accounts.
CVE-2020-12812 stems from improper authentication logic in FortiGate devices when local users with 2FA enabled are linked to remote LDAP authentication. While FortiGate treats usernames as case-sensitive, LDAP directories do not, creating a mismatch during the authentication process.
If a user logs in with a differently cased username, FortiGate fails to match it to the local account and proceeds to alternative authentication policies. When misconfigured LDAP groups are present, authentication can succeed without enforcing the second factor, even for accounts that are supposed to be protected by 2FA.
Fortinet stated that exploitation requires a specific configuration: local users with 2FA enabled, LDAP-based authentication, LDAP group membership, and policies that rely on those groups for VPN or administrative access.
Although the vulnerability was patched in 2020, it has resurfaced due to real-world abuse. The U.S. government previously listed CVE-2020-12812 among vulnerabilities weaponized in attacks against perimeter network devices.
Fortinet addressed the issue in FortiOS versions 6.0.10, 6.2.4, and
, and recommends disabling username case sensitivity in newer versions. Additional mitigation includes removing unnecessary LDAP groups and auditing logs for evidence of 2FA bypass.
The renewed exploitation of CVE-2020-12812 highlights how legacy vulnerabilities can remain a threat long after disclosure if systems are not updated or are improperly configured. Authentication flaws are particularly dangerous, as they allow attackers to bypass security controls without deploying malware or exploiting memory corruption.
