10,000+ Fortinet Firewalls Still Exposed to 5-year Old MFA Bypass Vulnerability
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Over 10,000 Fortinet firewalls worldwide remain vulnerable to CVE-2020-12812, a multi-factor authentication (MFA) bypass flaw disclosed over five and a half years ago.<\/p>\n
Shadowserver recently added the issue to its daily Vulnerable HTTP Report, highlighting persistent exposure amid active exploitation confirmed by Fortinet in late 2025.\u200b<\/p>\n
CVE-2020-12812<\/a> stems from improper authentication in FortiOS SSL VPN portals, affecting versions 6.4.0, 6.2.0 through 6.2.3, and 6.0.9 and earlier. Attackers can bypass the second authentication factor, typically FortiToken, by simply altering the case of a legitimate username, such as changing \u201cuser\u201d to \u201cUser,\u201d during login.<\/p>\n This occurs due to mismatched case sensitivity: FortiGate treats local usernames as case-sensitive, while LDAP servers (like Active Directory<\/a>) often ignore case, allowing authentication via group membership without prompting for MFA.\u200b<\/p>\n The flaw carries a CVSS v3.1 base score of 7.5 (High), with network accessibility, low complexity, and potential for confidentiality, integrity, and availability impacts. It was added to CISA\u2019s Known Exploited Vulnerabilities catalog in 2021 after ransomware actors leveraged it.\u200b<\/p>\n In December 2025, Fortinet issued a PSIRT advisory (FG-IR-19-283 update) detailing \u201crecent abuse\u201d of the vulnerability in the wild, tied to specific configurations: local FortiGate users with MFA enabled, linked to LDAP, and belonging to LDAP groups mapped to authentication policies for SSL VPN, IPsec<\/a>, or admin access. Threat actors exploited this to gain unauthorized internal network access, prompting Fortinet to urge immediate checks and patches.\u200b<\/p>\n Shadowserver\u2019s scans confirm the flaw\u2019s persistence, scanning for vulnerable HTTP services on exposed ports.\u200b<\/p>\n