Fortinet has issued a new advisory warning customers that CVE-2020-12812, an improper authentication flaw first disclosed in 2020, is once again being used in real-world attacks. The weakness affects FortiOS SSL VPN under specific configurations and allows users to authenticate without being prompted for a second factor simply by changing the letter case of the username.
CVE-2020-12812 carries a CVSS score of 5.2, but the operational risk can be much higher in environments that rely heavily on VPN and administrative access controls. The problem appears when two-factor authentication is configured for local users while authentication is actually delegated to a remote service such as LDAP. Because FortiGate handles usernames in a case-sensitive way and many LDAP directories do not, a mismatch can trigger fallback authentication that skips the 2FA requirement.
How the Bypass Works
Fortinet explains that if a legitimate user account exists as “jsmith,” a login attempt as “Jsmith,” “JSmith,” or any other variation using different case may bypass the local entry and authenticate directly against LDAP. If that LDAP group is also used in firewall or VPN authentication policies, the user is logged in without the expected second factor. This behavior can apply to administrative accounts and SSL VPN users, depending on the policy configuration.
This flaw depends on three conditions being present:
- Local user entries are configured on the FortiGate with 2FA that reference LDAP.
- Those same users exist as members of groups within the LDAP directory.
- At least one of those LDAP groups is tied to an authentication policy on the FortiGate, such as SSL VPN, IPsec VPN, or admin access.
When these criteria are present, a case mismatch leads FortiGate to stop checking the local account and instead authenticate directly against LDAP.
History and Current Exploitation
Fortinet originally addressed the flaw in July 2020 with updates to FortiOS 6.0.10, 6.2.4, and 6.4.1. Despite the available fixes, the company now reports “recent abuse” of the weakness in the wild. U.S. government reporting had already flagged this issue as one of several perimeter-device weaknesses abused in prior campaigns.
The advisory does not provide details on who is exploiting the flaw or how successful those attempts have been. Even so, the renewed activity highlights how older configuration weaknesses can remain attractive to attackers long after patches are published.
Recommended Configuration Changes
Organizations still running affected builds should address username case handling without delay. Older versions can use the command that disables case sensitivity for local accounts. Later versions, including 6.0.13, 6.2.10, 6.4.7, 7.0.1, and above, support the related set username-sensitivity disable command. Once applied, the device treats all case variations of a username as identical, preventing the fallback condition that leads to a bypass.
It may also make sense to review LDAP group usage. If a secondary LDAP group is not needed, removing it eliminates the bypass path entirely, since authentication will fail when a username does not match the local entry.
Incident Response Guidance
Fortinet advises impacted customers to reset credentials and contact support if they discover any authentication events where admin or VPN users logged in without 2FA being applied. This step helps reduce lingering risk from any unauthorized access that may already have taken place.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Netizen Blog and News 
Leave a comment