According to Fortinet, an old FortiOS vulnerability that bypasses authentication on FortiGate firewalls is still being actively exploited.
Fortinet warns that attackers are still actively exploiting a critical vulnerability in FortiOS. Attackers are bypassing two-factor authentication on FortiGate firewalls. This concerns CVE-2020-12812, a flaw that was patched back in 2020, but is being exploited again in real-world attacks due to specific configurations.
Fortigate SSL
The vulnerability is in FortiGate SSL VPN. It allows attackers to log in without a second authentication factor. This is done by adjusting the capitalization of a username. This happens when 2FA is enabled for a local user, but the authentication actually goes through an external source.
According to Fortinet, the recent attacks mainly occur in environments where local users with mandatory 2FA are linked to LDAP (Lightweight Directory Access Protocol) groups. The risk further increases when a second LDAP group is set up as a fallback mechanism in the event of failed authentication. In that case, an attacker can still gain access. Fortinet says that these configurations are often unnecessary and that removing them reduces the risk.
Known for years
The resurgence of the vulnerability is not a surprise. In 2021, the FBI and CISA already warned that actors were attacking FortiGate systems by exploiting CVE-2020-12812. Later, the flaw was added by CISA to the list of actively exploited vulnerabilities and linked to ransomware campaigns. According to Fortinet, the fact that attacks are still successful in 2025 mainly points to poorly maintained or misconfigured environments.
Fortinet emphasizes that organizations should urgently review their FortiGate configurations and check whether all systems are up-to-date. Those who cannot deploy a recent FortiOS version can use earlier solutions, such as disabling case sensitivity for usernames and limiting LDAP dependencies.