Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks
Monday, December 29, 2025
What
A critical improper authentication vulnerability, CVE-2020-12812, in FortiGate SSL VPN allows attackers to bypass two-factor authentication (2FA). This occurs when 2FA is enabled for local users linked to remote authentication methods like LDAP, due to inconsistent case-sensitive matching between local and remote authentication for usernames. Attackers exploit this by changing the case of a legitimate username, gaining unauthorized access without the second factor. The flaw was patched in July 2020, but Fortinet recently warned of its continued active exploitation against specific misconfigurations.
Where
The vulnerability affects FortiGate firewalls running FortiOS SSL VPN, specifically targeting organizations that utilize LDAP for user authentication with local 2FA-enabled user entries. The exploitation has been observed globally, with warnings issued by Fortinet, FBI, and CISA, impacting federal agencies and potentially any organization using vulnerable Fortinet devices.
When
Fortinet patched CVE-2020-12812 in July 2020 with FortiOS versions 6.4.1, 6.2.4, and 6.0.10. In April 2021, the FBI and CISA warned of state-backed hackers exploiting the CVE, and by November 2021, CISA added it to its Known Exploited Vulnerabilities catalog. Fortinet issued a new warning about ongoing active exploitation "last week" (relative to December 2025).
Key Factors
- •CVE-2020-12812
- •FortiGate SSL VPN
- •Two-factor authentication (2FA) bypass
- •Username case sensitivity manipulation
- •Remote authentication (LDAP)
- •Specific FortiGate configurations (local user entries linked to LDAP, LDAP groups, secondary LDAP group misconfiguration)
- •Patches released in July 2020 (FortiOS 6.4.1, 6.2.4, 6.0.10)
- •Active exploitation by state-backed hackers and in ransomware attacks
Takeaways
- →Legacy vulnerabilities, even patched ones, remain a significant threat if not addressed promptly and thoroughly across all affected systems.
- →Complex authentication configurations, especially involving local and remote systems, can introduce subtle bypass vulnerabilities that require careful auditing.
- →Organizations must prioritize patching critical network infrastructure and regularly audit their security configurations to prevent exploitation of known flaws.
