Dec 25, 2025Ravie LakshmananVulnerability / Enterprise Safety
Fortinet on Wednesday stated it noticed “current abuse” of a five-year-old safety flaw in FortiOS SSL VPN within the wild beneath sure configurations.
The vulnerability in query is CVE-2020-12812 (CVSS rating: 5.2), an improper authentication vulnerability in SSL VPN in FortiOS that might permit a person to log in efficiently with out being prompted for the second issue of authentication if the case of the username was modified.
“This occurs when two-factor authentication is enabled within the ‘person native’ setting, and that person authentication kind is ready to a distant authentication technique (eg, LDAP),” Fortinet famous in July 2020. “The problem exists due to inconsistent case-sensitive matching among the many native and distant authentication.”
The vulnerability has since come beneath lively exploitation within the wild by a number of menace actors, with the U.S. authorities additionally itemizing it as one of many many weaknesses that had been weaponized in assaults concentrating on perimeter-type gadgets in 2021.
In a contemporary advisory issued December 24, 2025, Fortinet famous that efficiently triggering CVE-2020-12812 requires the next configuration to be current –
Native person entries on the FortiGate with 2FA, referencing again to LDAP
The identical customers must be members of a bunch on the LDAP server
At the very least one LDAP group the two-factor customers are a member of must be configured on FortiGate, and the group must be utilized in an authentication coverage which may embody for instance administrative customers, SSL, or IPSEC VPN
If these conditions are glad, the vulnerability causes LDAP customers with 2FA configured to bypass the safety layer and as an alternative authenticate towards LDAP straight, which, in flip, is the results of FortiGate treating usernames as case-sensitive, whereas the LDAP Listing doesn’t.
“If the person logs in with ‘Jsmith’, or ‘jSmith’, or ‘JSmith’, or ‘jsmiTh’ or something that’s NOT a precise case match to ‘jsmith,’ the FortiGate is not going to match the login towards the native person,” Fortinet defined. “This configuration causes FortiGate to think about different authentication choices. The FortiGate will examine by way of different configured firewall authentication insurance policies.”
“After failing to match jsmith, FortiGate finds the secondary configured group ‘Auth-Group’, and from it the LDAP server, and supplied the credentials are right, authentication will likely be profitable no matter any settings inside the native person coverage (2FA and disabled accounts).”
Consequently, the vulnerability can authenticate admin or VPN customers with out 2FA. Fortinet launched FortiOS 6.0.10, 6.2.4, and 6.4.1 to deal with the habits in July 2020. Organizations that haven’t deployed these variations can run the beneath command for all native accounts to forestall the authentication bypass situation –
set username-case-sensitivity disable
Clients who’re on FortiOS variations 6.0.13, 6.2.10, 6.4.7, 7.0.1, or later are suggested to run the next command –
set username-sensitivity disable
“With username-sensitivity set to disabled, FortiGate will deal with jsmith, JSmith, JSMITH, and all attainable combos as an identical and due to this fact forestall failover to some other misconfigured LDAP group setting,” the corporate stated.
As further mitigation, it is value contemplating eradicating the secondary LDAP Group if it is not required, as this eliminates all the line of assault since no authentication through LDAP group will likely be attainable, and the person will fail authentication if the username is just not a match to a neighborhood entry.
Nonetheless, the newly issued steering doesn’t give any specifics on the character of the assaults exploiting the flaw, nor whether or not any of these incidents had been profitable. Fortinet has additionally suggested impacted clients to contact its help group and reset all credentials in the event that they discover proof of admin or VPN customers being authenticated with out 2FA.
