Fortinet Warns of Active Exploitation of FortiOS SSL VPN Vulnerability

Key Findings

Fortinet reported active exploitation of a five-year-old security vulnerability, CVE-2020-12812 (CVSS score: 5.2), in FortiOS SSL VPN.
The vulnerability is an improper authentication flaw that may allow users to bypass two-factor authentication (2FA) by changing the case of the username, enabling successful login without being prompted for the second authentication factor.
The issue occurs when FortiGate has local 2FA users linked to LDAP, the same users belong to LDAP groups used in authentication policies, and username case differs at login.
Fortinet addressed the vulnerability in FortiOS 6.0.10, 6.2.4, and 6.4.1 in July 2020.
Organizations can mitigate the authentication bypass by disabling username case sensitivity.

In April 2021, the FBI and CISA warned of attacks carried out by APT groups targeting Fortinet FortiOS servers using multiple exploits, including CVE-2020-12812.
In July 2021, CISA, ACSC, NCSC, and the FBI published a joint advisory on the top 30 vulnerabilities exploited by threat actors in 2020, including CVE-2020-12812.
In March 2021, Iran-linked APT groups leveraged Fortinet FortiOS vulnerabilities, including CVE-2020-12812, to gain access to target networks.
In May 2022, researchers linked the Iran-backed COBALT MIRAGE APT group to exploiting CVE-2020-12812.
The Hive ransomware operators were also observed exploiting the same flaw in 2022 attacks.

The vulnerability occurs when two-factor authentication is enabled in the "user local" setting, and the user authentication type is set to a remote authentication method (e.g., LDAP).
The issue exists due to inconsistent case-sensitive matching among the local and remote authentication.
If a user enters a differently cased username, FortiGate may skip the local 2FA user and authenticate directly via LDAP group policies, allowing admin or VPN access without 2FA.
To trigger the issue, an organization must have the following configuration:
Local user entries on the FortiGate with 2FA, referencing back to LDAP
The same users are members of a group on the LDAP server
At least one LDAP group the two-factor users are a member of is configured on FortiGate and used in an authentication policy

Fortinet released FortiOS 6.0.10, 6.2.4, and 6.4.1 to address the vulnerability in July 2020.
For older FortiOS versions, organizations can run the command `set username-case-sensitivity disable` to prevent the authentication bypass.
Customers using FortiOS 6.0.13, 6.2.10, 6.4.7, 7.0.1, or newer should use the command `set username-sensitivity disable` instead.
Additionally, removing the secondary LDAP Group if not required can eliminate the entire line of attack.
Affected customers should contact Fortinet support and reset all credentials if they find evidence of admin or VPN users being authenticated without 2FA.

https://securityaffairs.com/186117/security/five-year-old-fortinet-fortios-ssl-vpn-flaw-actively-exploited.html
https://thehackernews.com/2025/12/fortinet-warns-of-active-exploitation.html
https://thehackernews.com/2025/12/cisa-flags-actively-exploited-digiever.html