Fortinet has issued a new warning regarding the ongoing exploitation of a five-year-old security vulnerability in its FortiOS SSL VPN. The critical flaw, CVE-2020-12812, allows for authentication bypass under specific configurations, and threat actors are actively targeting it in the wild. An advisory released on December 24, 2025, details the conditions under which the vulnerability can be triggered, highlighting a persistent threat to enterprise security.
The vulnerability, first identified in July 2020, is an improper authentication flaw within the FortiOS SSL VPN. It carries a CVSS score of 5.2. The issue arises when two-factor authentication (2FA) is enabled for local users who reference a remote authentication method, such as LDAP. In these scenarios, a change in the capitalization of a username could allow an attacker to bypass the second factor of authentication, effectively logging in with just the username and password.
Fortinet Warns of Active Exploitation of Age-Old SSL VPN Flaw
Fortinet’s recent advisory clarifies the specific configuration requirements for CVE-2020-12812 to be exploitable. According to the company, triggering this vulnerability requires the presence of local user entries on the FortiGate device that utilize 2FA and point to LDAP for authentication. Furthermore, these same users must be members of an LDAP group on the server, and this LDAP group needs to be configured on the FortiGate and used in an authentication policy. This could include policies for administrative users, SSL VPN, or IPSEC VPN access.
When these prerequisites are met, the vulnerability enables attackers to authenticate without the intended second factor. This occurs because the FortiGate system treats usernames case-insensitively for the initial local user check, while the LDAP directory might be case-sensitive. As Fortinet explained, if a user attempts to log in with an incorrect capitalization (e.g., ‘Jsmith’ instead of ‘jsmith’), the FortiGate will not find a matching local user.
Consequently, the FortiGate will then explore other configured authentication policies. If a secondary authentication group, such as ‘Auth-Group’ pointing to the LDAP server, is configured and the credentials are valid, authentication will succeed. This bypasses any 2FA settings or disabled account statuses configured within the local user policy. This means that administrative or VPN users could potentially be authenticated without fulfilling the required 2FA procedures.
Mitigation and Remediation Steps
Fortinet initially addressed this behavior by releasing patched versions of FortiOS in July 2020, including FortiOS 6.0.10, 6.2.4, and 6.4.1. For organizations that have not yet deployed these updates, Fortinet recommended a command to disable username case sensitivity for all local accounts: set username-case-sensitivity disable.
Customers running more recent versions of FortiOS, specifically 6.0.13, 6.2.10, 6.4.7, 7.0.1, or later, are advised to implement a similar command: set username-sensitivity disable. Fortinet stated that with username sensitivity disabled, the FortiGate will treat all variations of a username’s capitalization as identical, thereby preventing a fallback to other potentially misconfigured LDAP group settings.
An additional mitigation strategy suggested by Fortinet involves removing any secondary LDAP groups that are not strictly necessary. This action would entirely eliminate the attack vector, as authentication via an LDAP group would no longer be possible, and users would fail if their username does not precisely match a local entry.
While Fortinet’s latest guidance explains the technical details of the vulnerability and its mitigation, it does not provide specifics about the actual attacks currently exploiting the flaw. The company has not disclosed whether any of these ongoing incidents have been successful or the scale of any potential breaches. Fortinet has urged affected customers to contact their support team immediately if they find any evidence of administrator or VPN users being authenticated without 2FA. These organizations are also advised to reset all relevant credentials as a precautionary measure.
The continued exploitation of this long-standing vulnerability underscores the importance of ongoing security patching and configuration management for network infrastructure. Organizations that have not yet addressed CVE-2020-12812 are at significant risk. The next steps for affected entities involve not only applying the recommended configuration changes and updates but also diligently monitoring their systems for any signs of unauthorized access, especially concerning privileged accounts and VPN connections. The lack of detail on current attacks leaves a degree of uncertainty regarding the immediate threat landscape, emphasizing the need for proactive defense.