- Fortinet reported renewed abuse of CVE-2020-12812 allowing SSL VPN users to bypass two-factor authentication under specific configurations.
- The bypass stems from a case-sensitivity mismatch between FortiGate username matching and LDAP directory behavior.
- Fixes were released in 2020; short-term mitigations include disabling username case sensitivity with specific commands.
Fortinet on December 24, 2025 issued an advisory saying it observed “recent abuse” of a five-year-old FortiOS SSL VPN flaw, CVE-2020-12812. The flaw can let a user log in without the second authentication factor when the username case differs from the local account entry.
The issue is an improper authentication vulnerability in FortiOS SSL VPN that arises when local users are configured for two-factor authentication (2FA) but reference a remote authentication method such as LDAP. “This happens when two-factor authentication is enabled in the ‘user local’ setting, and that user authentication type is set to a remote authentication method (eg, LDAP),” the advisory noted. LDAP is a directory protocol used to store and retrieve user account information. Two-factor authentication (2FA) requires two forms of verification to grant access.
Successful exploitation requires three conditions: local user entries on the FortiGate with 2FA that reference LDAP; those users must belong to an LDAP group; and at least one LDAP group that includes the two-factor users must be configured on the FortiGate and used in an authentication policy. Because FortiGate treated usernames as case-sensitive while LDAP often does not, a username typed with different case can fail to match the local entry and instead authenticate directly against LDAP.
The flaw had seen active exploitation in the wild by multiple threat actors in prior years. Vendor fixes released in July 2020 included FortiOS 6.0.10, 6.2.4, and 6.4.1. For older versions, Fortinet advises running: set username-case-sensitivity disable. For customers on FortiOS 6.0.13, 6.2.10, 6.4.7, 7.0.1 or later, run: set username-sensitivity disable. “With username-sensitivity set to disabled, FortiGate will treat jsmith, JSmith, JSMITH, and all possible combinations as identical…”
As an additional mitigation, remove any unnecessary secondary LDAP group. Impacted customers should contact support and reset credentials if they find evidence of admin or VPN users authenticating without 2FA. Related links: exploit image (https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWq72oFKp6biq3Hf_tsdl9xZeVhxI_BGzBaKfw1DiMD2ldey-KGb8qk27HJH9rt-pys9Ga94wnpRZfAYUdFW9g5_-ncNfIBaYtzsHD-GpGk0LtMaSZ0yD83PqptSkQlIuFNwa94qWlQvk3Yqz-eSpFchaeTh3VbYOXgRJ96sDTRz7dy-_ShXQu1jnzQXhx/s790-rw-e365/fortinet-exploit.jpg), additional resources (https://thehackernews.uk/filefix-d), (https://thehackernews.uk/zscaler-ai-event-d).
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Cathie Wood: 2026 a Goldilocks Year for Crypto Revival Surge
- Bitcoin flashed $24,111 on Binance USD1 wick, then rebounded
- Polymarket Users Drained; Third-Party Login Tool Blamed Now!
- Keeney: Tesla can outscale Waymo via mass vehicle production
- Incumbents, Stablecoins and Prediction Markets Drive 2025 Up
