Cybercriminals are actively abusing a long-patched Fortinet FortiGate flaw from July 2020, slipping past two-factor authentication (2FA) on firewalls and potentially granting unauthorized access to VPNs and admin consoles.<\/p>\n
Fortinet\u2019s PSIRT team detailed the in-the-wild attacks in a recent blog post, urging admins to audit configurations immediately to avoid compromise.<\/p>\n
Dubbed FG-IR-19-283 (CVE-2020-12812<\/a>), the issue stems from a mismatch in how FortiGate devices handle usernames compared with LDAP directories. FortiGate treats usernames as case-sensitive by default, while most LDAP servers, like Active Directory, ignore case.<\/p>\n Attackers exploit this in misconfigured setups where local FortiGate users have 2FA enabled and are also members of LDAP groups mapped to authentication policies.<\/p>\n The attack unfolds simply. Suppose a local user \u201cjsmith\u201d has 2FA enabled and linked to an LDAP<\/a> group such as \u201cDomain Users.\u201d Logging in with the exact \u201cjsmith\u201d triggers the token prompt.<\/p>\n But hackers enter \u201cJsmith,\u201d \u201cjSmith,\u201d or any case variation. FortiGate fails to match the local user, then falls back to secondary authentication policies tied to LDAP groups such as \u201cHelpdesk\u201d or \u201cAuth-Group.\u201d Valid LDAP credentials alone suffice, bypassing 2FA entirely.<\/p>\n Fortinet confirmed these prerequisites for exploitation:<\/p>\n This grants attackers VPN entry or elevated privileges without tokens. Fortinet warns that successful bypasses signal compromise: reset all credentials, including LDAP\/AD binding accounts, and scrutinize logs for anomalies like failed local matches followed by LDAP successes.<\/p>\n The vulnerability dates back to 2020, with fixes in FortiOS 6.0.10, 6.2.4, and 6.4.1. Yet, unpatched or misconfigured devices linger in the wild, drawing opportunistic hackers. Fortinet\u2019s analysis shows attackers probing specific setups, likely scanning for outdated firmware.<\/p>\n Admins should prioritize these steps:<\/p>\n Fortinet emphasizes<\/a> that the absence of LDAP groups eliminates bypass risk for local-only users. This incident underscores a harsh reality: old vulnerabilities thrive on configuration drift.<\/p>\n With FortiGate firewalls shielding critical networks, enterprises must enforce least-privilege policies and regular audits. A delay could enable ransomware or lateral movement. Act now before hackers crack your defenses.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Exploiting Three-Year-Old FortiGate Vulnerability to Bypass 2FA on Firewalls<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjZqbBitK-5UTsP_nwAWebiX2xTLj5MKLqX3QrOS5sXo1mIrH9YWtQmLTygzbK9nUcSxdUcqVAm0106K61sL-NlNmgzbqTDlTXhq7hnVW8nCMYDsfW4HrfzekzySSgbVL7zMg9oTNJ7F8T7jkFzcWWeN-Bj-y7zPzE1UlKVaowzqRrr-SCHJ0vjnmorBryI\/s16000\/ldap.webp?ssl=1\")
<\/figure>\n\n
Mitigations<\/strong><\/h2>\n
\n