Article Details

Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks. Fortinet has warned customers that threat actors are still actively exploiting a critical FortiOS vulnerability that allows them to bypass two-factor authentication (2FA) when targeting vulnerable FortiGate firewalls. Tracked as CVE-2020-12812, this improper authentication security flaw was found in FortiGate SSL VPN and enables attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when changing the case of the username. "This happens when two-factor authentication is enabled in the 'user local' setting, and that user authentication type is set to a remote authentication method (eg: ldap)," Fortinet explained when it patched the vulnerability in July 2020. "The issue exists because of inconsistent case sensitive matching among the local and remote authentication." Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw and advised IT admins who can't deploy the security update to turn off username-case-sensitivity to avoid the 2FA bypass issue. Last week, the company warned customers that attackers are still exploiting CVE-2020-12812 in the wild, targeting firewalls with LDAP (Lightweight Directory Access Protocol) enabled. However, to be vulnerable to these ongoing attacks, organizations must have local user entries on the FortiGate that require two-factor authentication (2FA) and are linked to LDAP. Additionally, these users must belong to an LDAP group, which must also be configured on the FortiGate. "Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283 / CVE-2020-12812 in the wild based on specific configurations," it said. "Part of what makes this situation possible is the misconfiguration of a secondary LDAP Group that is used when the local LDAP authentication fails. If a secondary LDAP Group is not required, it should be removed. If no LDAP groups are used at all, no authentication via LDAP group is possible, and the user will fail authentication if the username is not a match to a local entry." In April 2021, the FBI and CISA warned that state-backed hackers were attacking Fortinet FortiOS instances using exploits targeting multiple vulnerabilities, including one abusing CVE-2020-12812 to bypass 2FA. Seven months later, in November 2021, CISA added CVE-2020-12812 to its catalog of known exploited vulnerabilities, tagging it as exploited in ransomware attacks and ordering federal agencies to secure their systems by May 2022. Fortinet vulnerabilities are frequently exploited in attacks, often as zero-day vulnerabilities. For instance, in November, the company warned of an actively exploited FortiWeb zero-day (CVE-2025-58034), one week after confirming that it had silently patched a second FortiWeb zero-day (CVE-2025-64446) that was abused in widespread attacks. Break down IAM silos like Bitpanda, KnowBe4, and PathAI Broken IAM isn't just an IT problem - the impact ripples across your whole business. This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.