CriticalCISA KEVExploited in the wildPublic exploit

FortiOS SSL VPN 2FA Bypass via Username Case Manipulation

IdentifiersCVE-2020-12812CWE-287· Improper AuthenticationAlso known asfg_ir_19_283

CVE-2020-12812 is an improper authentication vulnerability in Fortinet FortiOS SSL VPN affecting FortiOS 6.4.0, 6.2.0 through 6.2.3, and 6.0.9 and earlier. Under specific configurations, a user can authenticate successfully without being prompted for the second authentication factor (FortiToken) by changing the case of the username during login. The issue arises from a case-sensitivity mismatch in authentication handling: FortiGate local usernames are treated as case-sensitive, while LDAP backends such as Microsoft Active Directory commonly treat usernames as case-insensitive. When a case-variant username does not match the local 2FA-protected account exactly, FortiGate may fall through to LDAP group-based authentication and authenticate the user directly without enforcing the local second-factor requirement. Fortinet reporting indicates the issue can affect SSL VPN access and, in similar authentication-policy configurations, IPsec or administrative access.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows bypass of multi-factor authentication for affected FortiGate authentication flows. An attacker with valid primary credentials can gain unauthorized access to the SSL VPN portal, and potentially other protected access paths tied to the same authentication design, without presenting the configured FortiToken second factor. This can provide an initial foothold into the target environment, enable unauthorized administrative or remote-access sessions, and facilitate follow-on activity such as internal network access, credential theft, lateral movement, persistence, and ransomware deployment. Fortinet has stated that if this condition has been exploited, the system configuration should be considered compromised.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable username case sensitivity so case variants of the same username are treated identically and cannot bypass local 2FA matching. Fortinet guidance cited in the content includes using "set username-case-sensitivity disable" on affected versions, and on later versions "set username-sensitivity disable." Additional mitigations include removing unnecessary LDAP group mappings that create fallback authentication paths, reducing or disabling unnecessary SSL VPN exposure, enforcing least privilege, and monitoring logs for case-variant login attempts or other suspicious authentication behavior.

Remediation

Patch, then assume compromise.

Upgrade FortiOS to a fixed release. The content identifies the patched versions as FortiOS 6.0.10 or later, 6.2.4 or later, and 6.4.1 or later. Review authentication architecture to eliminate the vulnerable hybrid local-user plus LDAP-group flow that permits fallback authentication without MFA. Fortinet also recommends removing unnecessary secondary LDAP group configurations used in authentication policies. If exploitation is suspected, reset all affected credentials, including user credentials and LDAP/Active Directory bind credentials, and investigate for unauthorized access.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FortinetFortiosoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

98 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

98 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

FortiOS SSL VPN improper authentication issue that can allow login without being prompted for second-factor authentication under certain configurations; reported abused in the wild.

cert eu threat intelNews

Jan 5, 2026

Cyber Brief 26-01 - December 2025

A critical 2FA bypass vulnerability in Fortinet firewalls, still actively exploited five years after disclosure.

cso onlineNews

Jan 5, 2026

Ten thousand firewalls are vulnerable to old vulnerability

A vulnerability in FortiOS (CVE-2020-12812) allows attackers to bypass two-factor authentication (2FA), potentially granting unauthorized access to affected Fortinet devices.

cyber security newsNews

Jan 2, 2026

10,000+ Fortinet Firewalls Still Exposed to 5-year Old MFA Bypass Vulnerability

An MFA bypass vulnerability in Fortinet FortiOS SSL VPN authentication where case-variant usernames can bypass the second factor in certain local-user + LDAP hybrid configurations, enabling unauthorized access.

+21 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity71

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2020-12812

NVD

nvd.nist.gov/vuln/detail/CVE-2020-12812

MITRE CWE · CWE-287

Improper Authentication

Vendor Advisory

fortiguard.com/psirt/FG-IR-19-283

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12812