Ethical Hacking News
A five-year-old vulnerability in Fortinet's SSL VPN software has been exploited in the wild, highlighting the ongoing threat posed by older vulnerabilities. This article provides a detailed analysis of the CVE-2020-12812 flaw, its potential severity, and the steps organizations must take to prevent exploitation.
A serious authentication flaw was discovered in Fortinet's FortiOS SSL VPN software, allowing users to bypass two-factor authentication by changing the case of their username. The vulnerability, CVE-2020-12812, has been exploited in the wild under specific configurations, particularly among organizations that failed to apply updates or implement security patches. The issue exists due to inconsistent case-sensitive matching among local and remote authentication methods, allowing attackers to authenticate directly via LDAP group policies without two-factor authentication. Organizations with specific configuration settings are vulnerable, including Local user entries on the FortiGate with 2FA referencing back to ldap.
The world of cybersecurity is a vast and ever-changing landscape, filled with new threats and vulnerabilities emerging every day. However, it's not uncommon for older vulnerabilities to still be exploited by malicious actors long after they were first discovered. The case of Fortinet's CVE-2020-12812 vulnerability is a prime example of this phenomenon.
In 2020, researchers from Fortinet discovered a serious authentication flaw in the company's FortiOS SSL VPN software. This flaw, tracked as CVE-2020-12812, allowed users to bypass two-factor authentication by changing the case of their username, enabling successful login without being prompted for the second authentication factor. The vulnerability was assigned a CVSS score of 5.2, indicating its potential severity.
Fortinet addressed this vulnerability in FortiOS 6.0.10, 6.2.4, and 6.4.1, but it's clear that some organizations failed to apply these updates or didn't implement the necessary security patches in time. As a result, attackers have been exploiting this flaw in the wild under specific configurations.
CVE-2020-12812 is an improper authentication vulnerability in FortiOS SSL VPN that may allow users to bypass two-factor authentication by changing the case of their username, enabling successful login without being prompted for the second authentication factor. This happens when two-factor authentication is enabled in the "user local" setting and that user authentication type is set to a remote authentication method (e.g., ldap).
The issue exists because FortiGate has inconsistent case-sensitive matching among the local and remote authentication methods. If a user enters a differently cased username, FortiGate may skip the local 2FA user and authenticate directly via LDAP group policies. This can allow admin or VPN access without 2FA, potentially compromising systems and requiring full credential resets.
To trigger this issue, an organization must have the following configuration present: Local user entries on the FortiGate with 2FA referencing back to ldap, the same users need to be members of a group on the ldap server, at least one ldap group that two-factor users are a member of needs to be configured on FortiGate, and the group needs to be used in an authentication policy.
In July 2020, Fortinet addressed this vulnerability, but it's clear that some organizations failed to apply these updates or didn't implement the necessary security patches in time. In April 2021, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint alert to warn of attacks carried out by APT groups targeting Fortinet FortiOS servers using multiple exploits, including CVE-2020-12812.
In July 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) published a Joint Cybersecurity Advisory that provides details on the top 30 vulnerabilities exploited by threat actors in 2020, including CVE-2020-12812.
In March 2021, Iran-linked APT groups leveraged Fortinet FortiOS vulnerabilities such as CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812 to gain access to target networks. In May 2022, researchers at Secureworks Counter Threat Unit (CTU) investigated a series of attacks conducted by the Iran-linked COBALT MIRAGE APT group.
The researchers identified two distinct clusters of intrusions associated with COBALT MIRAGE who was spotted exploiting CVE-2020-12812. The Hive ransomware operators were also observed exploiting the same flaw in 2022 attacks.
In conclusion, the Fortinet vulnerability is a stark reminder of the importance of keeping software up-to-date and implementing robust security measures to protect against known vulnerabilities. Organizations must ensure that they apply all necessary patches and updates to their systems to prevent exploitation by malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Fortinet-Vulnerability-A-Five-Year-Old-Flaw-that-is-Still-Being-Exploited-ehn.shtml
https://securityaffairs.com/186117/security/five-year-old-fortinet-fortios-ssl-vpn-flaw-actively-exploited.html
https://nvd.nist.gov/vuln/detail/CVE-2020-12812
https://www.cvedetails.com/cve/CVE-2020-12812/
https://nvd.nist.gov/vuln/detail/CVE-2018-13379
https://www.cvedetails.com/cve/CVE-2018-13379/
https://nvd.nist.gov/vuln/detail/CVE-2019-5591
https://www.cvedetails.com/cve/CVE-2019-5591/
Published: Thu Dec 25 19:46:04 2025 by llama3.2 3B Q4_K_M
