Fortinet Warns of Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability

Fortinet on Wednesday said it observed “recent abuse” of a five-year-old security flaw in FortiOS SSL VPN in the wild under certain configurations.

The vulnerability in question is CVE-2020-12812 (CVSS score: 5.2), an improper authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication if the case of the username was changed.

“This happens when two-factor authentication is enabled in the ‘user local’ setting, and that user authentication type is set to a remote authentication method (eg, LDAP),” Fortinet noted in July 2020. “The issue exists because of inconsistent case-sensitive matching among the local and remote authentication.”

The vulnerability has since come under active exploitation in the wild by multiple threat actors, with the U.S. government also listing it as one of the many weaknesses that were weaponized in attacks targeting perimeter-type devices in 2021.

In a fresh advisory issued December 24, 2025, Fortinet noted that successfully triggering CVE-2020-12812 requires the following configuration to be present –

• Local user entries on the FortiGate with 2FA, referencing back to LDAP
• The same users need to be members of a group on the LDAP server
• At least one LDAP group the two-factor users are a member of needs to be configured on FortiGate, and the group needs to be used in an authentication policy which could include for example administrative users, SSL, or IPSEC VPN

If these prerequisites are satisfied, the vulnerability causes LDAP users with 2FA configured to bypass the security layer and instead authenticate against LDAP directly, which, in turn, is the result of FortiGate treating usernames as case-sensitive, whereas the LDAP Directory does not.

“If the user logs in with ‘Jsmith’, or ‘jSmith’, or ‘JSmith’, or ‘jsmiTh’ or anything that is NOT an exact case match to ‘jsmith,’ the FortiGate will not match the login against the local user,” Fortinet explained. “This configuration causes FortiGate to consider other authentication options. The FortiGate will check through other configured firewall authentication policies.”

“After failing to match jsmith, FortiGate finds the secondary configured group ‘Auth-Group’, and from it the LDAP server, and provided the credentials are correct, authentication will be successful regardless of any settings within the local user policy (2FA and disabled accounts).”

As a result, the vulnerability can authenticate admin or VPN users without 2FA. Fortinet released FortiOS 6.0.10, 6.2.4, and 6.4.1 to address the behavior in July 2020. Organizations that have not deployed these versions can run the below command for all local accounts to prevent the authentication bypass issue –

set username-case-sensitivity disable

Customers who are on FortiOS versions 6.0.13, 6.2.10, 6.4.7, 7.0.1, or later are advised to run the following command –

set username-sensitivity disable

“With username-sensitivity set to disabled, FortiGate will treat jsmith, JSmith, JSMITH, and all possible combinations as identical and therefore prevent failover to any other misconfigured LDAP group setting,” the company said.

As additional mitigation, it’s worth considering removing the secondary LDAP Group if it’s not required, as this eliminates the entire line of attack since no authentication via LDAP group will be possible, and the user will fail authentication if the username is not a match to a local entry.

However, the newly issued guidance does not give any specifics on the nature of the attacks exploiting the flaw, nor whether any of those incidents were successful. Fortinet has also advised impacted customers to contact its support team and reset all credentials if they find evidence of admin or VPN users being authenticated without 2FA.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Some parts of this article are sourced from:
thehackernews.com