Fortinet announced Wednesday that it has seen “recent exploitation” of a five-year-old security flaw in FortiOS SSL VPN under certain configurations.
The vulnerability in question, CVE-2020-12812 (CVSS score: 5.2), is an improper authentication vulnerability in SSL VPN in FortiOS that could allow a user to successfully log in without being prompted for a second factor of authentication if the case of the username is changed.
“This occurs when two-factor authentication is enabled in the ‘User Local’ settings and the user authentication type is set to a remote authentication method (such as LDAP). This issue occurs because the case-sensitive matching between local and remote authentication is inconsistent,” Fortinet noted in July 2020.
The vulnerability has since been actively exploited in the wild by multiple attackers, and the U.S. government has cited it as one of many weaknesses weaponized in attacks targeting perimeter devices in 2021.
In a new advisory published on December 24, 2025, Fortinet noted that the following configurations must be present to successfully trigger CVE-2020-12812:
Local user entry on the FortiGate using 2FA that references LDAP The same user must be a member of a group on the LDAP server At least one LDAP group that the two-factor user is a member of must be configured on the FortiGate, and that group must be used in authentication policies that include administrative users, SSL, IPSEC VPN, etc.
If these prerequisites are met, this vulnerability allows LDAP users configured with 2FA to bypass the security layer and instead authenticate directly to LDAP. This is because LDAP directories are case-insensitive, whereas FortiGate user names are case-sensitive.
“If a user logs in using ‘Jsmith’, ‘jSmith’, ‘JSmith’, ‘jsmiTh’, or anything whose case does not exactly match ‘jsmith’, FortiGate will not match the login to a local user,” Fortinet explained. “This configuration causes FortiGate to consider other authentication options. FortiGate checks other configured firewall authentication policies.”
“After the jsmith match fails, FortiGate finds the group ‘Auth-Group’ configured as secondary and finds the LDAP server from there. If the credentials are correct, authentication will succeed regardless of the settings in the local user policy (2FA and disabled accounts).
As a result, this vulnerability could allow administrators or VPN users to authenticate without 2FA. Fortinet released FortiOS 6.0.10, 6.2.4, and 6.4.1 in July 2020 to address this behavior. Organizations that do not have these versions in place can run the following commands for all local accounts to prevent authentication bypass issues.
Disable case sensitivity for usernames
Customers using FortiOS versions 6.0.13, 6.2.10, 6.4.7, 7.0.1 and later are recommended to run the following command:
Disable username confidentiality
“When you set username sensitivity to disabled, FortiGate treats jsmith, JSmith, JSMITH, and all possible combinations as the same, thus preventing failover to other misconfigured LDAP group settings,” the company said.
As an additional mitigation measure, it may be worth considering removing secondary LDAP groups if they are not needed. This eliminates the entire attack chain since authentication by LDAP groups is not possible and the user will fail to authenticate if the username does not match the local entry.
However, the newly issued guidance does not specifically address the nature of attacks exploiting this flaw or whether those incidents were successful. Fortinet is also advising affected customers to contact their support team and reset all credentials if they find evidence that an administrator or VPN user is authenticating without 2FA.
Source link
