CVE-2020-12812 is an improper authentication vulnerability in Fortinet FortiOS affecting SSL VPN and, under specific configurations, other authentication policies such as IPsec and administrative access. Affected versions include FortiOS 6.4.0, 6.2.0 through 6.2.3, and 6.0.9 and earlier. The flaw arises from inconsistent username case handling between FortiGate local users and backend LDAP authentication: FortiGate treats local usernames as case-sensitive by default, while many LDAP directories such as Microsoft Active Directory treat usernames as case-insensitive. In configurations where a local FortiGate user is configured for two-factor authentication using FortiToken and that same user can also authenticate through an LDAP group referenced by an authentication policy, changing the case of the username can prevent matching the local 2FA-protected account and cause authentication to fall through to LDAP-backed group authentication without enforcing the second factor. As a result, a user can successfully authenticate without being prompted for FortiToken.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
set username-case-sensitivity disable on affected releases and set username-sensitivity disable on later releases. Also review and minimize LDAP group-based authentication paths, especially secondary LDAP groups used as fallback, and reduce unnecessary exposure of SSL VPN and administrative interfaces to the internet. Monitor authentication logs for case-variant login attempts against the same account names.Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
99 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
FortiOS SSL VPN improper authentication issue that can allow login without being prompted for second-factor authentication under certain configurations; reported abused in the wild.
A critical 2FA bypass vulnerability in Fortinet firewalls, still actively exploited five years after disclosure.
A vulnerability in FortiOS (CVE-2020-12812) allows attackers to bypass two-factor authentication (2FA), potentially granting unauthorized access to affected Fortinet devices.
An MFA bypass vulnerability in Fortinet FortiOS SSL VPN authentication where case-variant usernames can bypass the second factor in certain local-user + LDAP hybrid configurations, enabling unauthorized access.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.