Ethical Hacking News
Fortinet has issued a warning about an active exploitation of a five-year-old security flaw in their FortiOS SSL VPN, known as CVE-2020-12812, which can allow users to bypass two-factor authentication. Organizations that have not deployed the latest versions of FortiOS should take immediate action to address this vulnerability.
Fortinet has issued a warning about an active exploitation of CVE-2020-12812, a five-year-old security flaw in their FortiOS SSL VPN. The vulnerability allows users to log in without being prompted for second factor authentication if the case of the username is changed. The vulnerability exists due to inconsistent case-sensitive matching among local and remote authentication methods. Customers with affected versions can prevent the issue by running 'set username-case-sensitivity disable' or later versions by running 'set username-sensitivity disable' Updating to latest FortiOS versions (6.0.10, 6.2.4, and 6.4.1) is recommended to address this vulnerability.
Fortinet, a leading provider of cybersecurity solutions, has issued a warning about an active exploitation of a five-year-old security flaw in their FortiOS SSL VPN. The vulnerability, known as CVE-2020-12812, is an improper authentication vulnerability that can allow a user to log in successfully without being prompted for the second factor of authentication if the case of the username is changed.
This vulnerability has been around since 2020 and was identified by Fortinet in July of that year. However, it wasn't until recently that threat actors started actively exploiting this flaw in the wild. The U.S. government had also listed this vulnerability as one of the many weaknesses that were weaponized in attacks targeting perimeter-type devices in 2021.
According to Fortinet, the vulnerability exists because of inconsistent case-sensitive matching among the local and remote authentication methods. When two-factor authentication is enabled in the 'user local' setting, and the user authentication type is set to a remote authentication method (such as LDAP), the issue arises. The problem lies in the fact that FortiGate will treat usernames with different cases as distinct if they are not an exact match.
For instance, if a user attempts to log in with "JSmith," or "jSmith", or "JSMITH", or "jsmiTh" but their username is only stored as "jsmith" in the local user entries on the FortiGate, FortiGate will not match the login against the local user. This leads to the FortiGate considering other authentication options and eventually authenticates the user against the LDAP server.
The vulnerability causes problems for organizations that have 2FA configured for their users but haven't deployed the latest versions of FortiOS that address this behavior, which are FortiOS 6.0.10, 6.2.4, and 6.4.1. Organizations can run the following command to prevent the authentication bypass issue:
set username-case-sensitivity disable
Customers who are on FortiOS versions 6.0.13, 6.2.10, 6.4.7, 7.0.1, or later are advised to run the following command:
set username-sensitivity disable
With username-sensitivity set to disabled, FortiGate will treat usernames with different cases as identical and therefore prevent failover to any other misconfigured LDAP group settings.
Furthermore, it's worth considering removing the secondary LDAP Group if it's not required, as this eliminates the entire line of attack since no authentication via LDAP group will be possible, and the user will fail authentication if the username is not a match to a local entry. This would require an update in the configuration of the FortiGate device.
In conclusion, the CVE-2020-12812 vulnerability highlights the importance of regularly updating and configuring our security measures to prevent similar incidents from happening. Organizations that have not deployed the latest versions of FortiOS should take immediate action to address this vulnerability.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Looming-Shadow-of-CVE-2020-12812-A-Five-Year-Old-Vulnerability-Thats-Now-Being-Exploited-by-Threat-Actors-ehn.shtml
https://thehackernews.com/2025/12/fortinet-warns-of-active-exploitation.html
https://securityaffairs.com/186117/security/five-year-old-fortinet-fortios-ssl-vpn-flaw-actively-exploited.html
https://nvd.nist.gov/vuln/detail/CVE-2020-12812
https://www.cvedetails.com/cve/CVE-2020-12812/
Published: Thu Dec 25 15:50:19 2025 by llama3.2 3B Q4_K_M
