Fortinet Warns 5-Year-Old FortiOS 2FA Bypass Is Under Active Attack

Fortinet has issued a fresh advisory warning that attackers are actively exploiting CVE-2020-12812, a five-year-old vulnerability that allows bypassing two-factor authentication on FortiGate devices. The flaw, patched in 2020, continues to catch organizations that haven't updated or have misconfigured their LDAP authentication settings.

TL;DR

• What happened: Fortinet observed renewed exploitation of CVE-2020-12812, which bypasses 2FA by changing username case
• Who's affected: FortiOS devices with local users configured for 2FA that also reference LDAP groups
• Severity: Medium (CVSS 5.2) but high impact when exploited—grants unauthorized VPN or admin access
• Action required: Update to FortiOS 6.0.10+, 6.2.4+, or 6.4.1+, or disable username case sensitivity

How Does CVE-2020-12812 Work?

The vulnerability exploits a mismatch between how FortiGate handles usernames versus how LDAP directories work. FortiGate treats usernames as case-sensitive by default. Most LDAP servers, including Active Directory, ignore case.

Consider this scenario: A local user "jsmith" has 2FA enabled and belongs to an LDAP group called "Domain Users." Logging in as "jsmith" triggers the token prompt. But if an attacker enters "Jsmith," "jSmith," or any other case variation, FortiGate fails to match the local user.

After failing the local user match, FortiGate falls back to secondary authentication policies tied to LDAP groups. The LDAP server sees "Jsmith" as equivalent to "jsmith" and validates the password. Authentication succeeds—without the 2FA prompt.

The result: attackers with valid credentials can bypass 2FA simply by capitalizing a letter in the username.

Required Configuration for Exploitation

This vulnerability doesn't affect all FortiGate deployments. Exploitation requires a specific configuration: local user entries on the FortiGate with 2FA enabled that reference back to LDAP, where those same users belong to an LDAP group also configured on the FortiGate.

If your environment lacks this configuration—for instance, if you use only local users without LDAP integration, or only LDAP without local 2FA users—you're not vulnerable to this particular attack.

Why a 2020 Vulnerability Still Matters

CVE-2020-12812 was patched five years ago. Organizations had ample time to update. Yet Fortinet observed "recent abuse" and felt compelled to issue another advisory.

Configuration drift explains much of this. Security teams may have patched originally, but subsequent firmware updates, migrations, or administrator changes reintroduced vulnerable configurations. Some organizations never patched at all—either because the device is forgotten, managed by a third party, or deemed "working fine."

The lesson is unpleasant but necessary: old vulnerabilities don't die. Attackers maintain exploit collections and scan for any device still exposed. A vulnerability disclosed in 2020 remains a valid attack vector in 2025 if targets exist.

Indicators of Compromise

Fortinet warns that successful exploitation indicates compromise. Look for these patterns in authentication logs:

• Failed local user authentication followed immediately by successful LDAP group authentication
• Logins from unexpected locations or at unusual times
• Username variations in logs (different capitalizations for the same user)

If you find evidence of exploitation, Fortinet recommends treating the system configuration as compromised and resetting all credentials, including LDAP/AD binding accounts.

Remediation Steps

1. Update firmware - Upgrade to FortiOS 6.0.10+, 6.2.4+, or 6.4.1+ to eliminate the fallback behavior
2. Disable case sensitivity - On versions 6.0.10-6.0.12, run set username-case-sensitivity disable; on 6.0.13+, 6.2.10+, 6.4.7+, 7.0.1+, use set username-sensitivity disable
3. Remove unnecessary LDAP groups - If secondary LDAP groups aren't needed, remove them from firewall policies to eliminate the fallback path
4. Audit authentication logs - Review for suspicious patterns indicating prior exploitation
5. Reset credentials if compromised - If exploitation occurred, reset all credentials including LDAP binding accounts

Frequently Asked Questions

Is this the same vulnerability covered in your December 16 article?

No. The December 16 article covered CVE-2025-59718 and CVE-2025-59719, which are newly disclosed SAML SSO authentication bypasses. CVE-2020-12812 is a separate, older vulnerability affecting LDAP/2FA configurations. Both should be addressed, but they're distinct issues.

Why is the CVSS score only 5.2 if this bypasses 2FA?

The CVSS score reflects that exploitation requires specific configurations and valid user credentials. It's not a remote unauthenticated attack. That said, the real-world impact of bypassing 2FA can be severe—scores don't always capture operational risk.

How do I check if my FortiGate is configured vulnerably?

Review your local user configurations and firewall policies. If you have local users with 2FA that also appear in LDAP groups referenced by authentication policies, you may be vulnerable. Fortinet's advisory includes specific configuration checks.