Fortinet Warns of Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability

The CVE‑2020‑12812 flaw stems from inconsistent handling of username case between FortiGate’s local authentication and external LDAP directories. When two‑factor authentication is enabled for local users that also authenticate via LDAP, a mismatch in character case causes FortiGate to skip the local check and fall back to LDAP, effectively nullifying the second factor. Although Fortinet released patches in mid‑2020, the underlying configuration nuance remains a hidden risk for administrators who have not audited their VPN policies.

Recent threat intelligence confirms that multiple actor groups are weaponizing this bypass to infiltrate corporate networks. Shadowserver’s January 2026 scan identified over 9,700 internet‑exposed FortiGate appliances still vulnerable, with more than 1,200 located in the United States alone. The concentration of unpatched devices in high‑value regions underscores the broader challenge of legacy security updates in fast‑moving enterprise environments, where outdated firmware can become a lucrative entry point for credential‑stealing campaigns.

Mitigation now focuses on two practical steps: applying the latest FortiOS releases (6.0.13, 6.2.10, 6.4.7, 7.0.1 or newer) and disabling case‑sensitive username matching via the CLI commands "set username-case-sensitivity disable" or "set username-sensitivity disable" depending on the OS version. Organizations should also prune unnecessary LDAP groups from authentication policies and enforce strict password rotations after any suspected breach. Proactive monitoring for anomalous VPN logins and regular firmware audits will help prevent future exploitation of this long‑standing vulnerability.