Fortinet has issued a warning regarding the active exploitation of a five-year-old vulnerability in FortiOS SSL VPN, which can allow attackers to bypass two-factor authentication (2FA) under specific configurations. The flaw, tracked as CVE-2020-12812 with a CVSS score of 5.2, was first disclosed in 2020 but remains relevant as threat actors continue to abuse it.
How the Vulnerability Works
The SSL VPN vulnerability occurs when 2FA is enabled for local users, but authentication is set to a remote directory such as LDAP. The issue arises from inconsistent case sensitivity between local and remote authentication. If a username’s case does not match exactly, FortiGate may bypass local 2FA and authenticate the user directly against LDAP.
Fortinet explained:
“If the user logs in with variations such as ‘Jsmith’, ‘jSmith’, or ‘jsmiTh’, FortiGate fails to match the login against the local user and checks secondary authentication groups. If credentials are correct, the system grants access regardless of 2FA settings.”
This flaw can be exploited to authenticate administrative or VPN users without requiring two-factor verification, creating a serious security risk for organizations relying on FortiOS SSL VPN.
Configurations That Enable Exploitation
Successful exploitation requires:
- Local user entries with 2FA referencing LDAP.
- Users being part of an LDAP group.
- At least one LDAP group configured in FortiGate authentication policies (e.g., admin, SSL VPN, or IPSEC VPN).
If these conditions exist, attackers can bypass 2FA entirely through the case-sensitivity mismatch.
Mitigation Steps
Fortinet addressed this vulnerability in FortiOS 6.0.10, 6.2.4, and 6.4.1, and organizations are advised to ensure their systems are updated. For those unable to upgrade immediately, Fortinet recommends:
- For older versions:
set username-case-sensitivity disable
- For versions 6.0.13, 6.2.10, 6.4.7, 7.0.1, and later:
set username-sensitivity disable
This ensures all username variations are treated identically, preventing accidental failover to misconfigured LDAP groups.
Additional best practices include removing secondary LDAP groups if not required, which eliminates the bypass vector entirely, and resetting credentials for any accounts suspected of being authenticated without 2FA. Organizations should contact Fortinet support if they detect potential abuse.
Key Takeaways
- CVE-2020-12812 remains actively exploited despite being disclosed in 2020.
- The vulnerability can bypass 2FA, posing significant risk for VPN and admin accounts.
- Applying recommended FortiOS updates and configuration changes is critical to prevent unauthorized access.
Fortinet continues to monitor this issue, emphasizing that administrators follow best practices for username sensitivity and LDAP group management to safeguard enterprise networks.
