10,000+ Fortinet Firewalls Exposed To 5-Year-Old MFA Bypass Flaw Amid Active Exploitation

Over 10,000 Fortinet firewalls worldwide remain vulnerable to a multi-factor authentication (MFA) bypass flaw first disclosed in mid-2020, even as active exploitation in the wild continues, security researchers and vendor advisories confirm. The persistence of this vulnerability — CVE-2020-12812, also tracked as FG-IR-19-283 — highlights ongoing challenges in patch adoption and hardened configuration among enterprises dependent on perimeter defence infrastructure.

Originally disclosed in July 2020, the vulnerability resides in the SSL VPN component of FortiOS, the operating system that powers Fortinet’s flagship FortiGate firewalls and secure gateway appliances. The bug enables an attacker to bypass secondary authentication (such as FortiToken MFA) simply by manipulating the case sensitivity of a username — a logic flaw in how the FortiOS authentication stack handles case-sensitive local user entries versus case-insensitive LDAP directories like Active Directory.

The issue arises in configurations where:

• a local user account is defined with two-factor authentication, and
• authentication is delegated to a remote directory (LDAP), and
• that account is part of an LDAP group used in VPN or administrative access policies.

When a login attempt uses a variation in uppercase/lowercase — for example “JSmith” instead of the exact local entry “jsmith” — FortiOS fails to match the user locally and falls back to LDAP group authentication. Because most LDAP implementations ignore case, the login succeeds without prompting for a second factor.

Fortinet first patched the flaw in mid-2020 releases of FortiOS, and the issue was added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) “Known Exploited Vulnerabilities” catalog in 2021 due to observed ransomware abuse.

Despite its age, Fortinet acknowledged in a new Product Security Incident Response Team (PSIRT) advisory that the bug is being abused in the wild under “specific configurations” where vulnerable devices remain unpatched or improperly configured. The advisory, released in late December 2025, urged organisations to verify whether they are exposed and apply fixes where needed.

Threat actors are actively targeting this weakness to bypass MFA and gain unauthorised VPN or administrative access, especially on externally reachable firewalls — the very gateways designed to protect corporate networks.

Independent internet scanning group Shadowserver — which tracks vulnerable and exposed services globally — now shows over 10,000 Fortinet firewalls still susceptible to this 5-year-old bug. Geographic distributions indicate the United States (≈1.3K) as the largest cohort of exposed devices, followed by Thailand, Taiwan, Japan, and China.

These figures likely underrepresent real exposure because only internet-visible services are scanned, leaving out vulnerable devices shielded behind cloud providers or firewalls. Many industrial, educational, and government networks still rely on older FortiOS branches that never received appropriate configuration changes or patching.

Although CVE-2020-12812’s formal CVSS v3 base score has been reported variously in different databases (from 7.5 to 9.8 depending on vector definitions and exploit availability), analysts stress that the operational risk remains high due to the ease of exploitation and potential for unauthorised access to secure resources.

In many enterprise environments, VPN credentials serve as entry points for ransomware groups and advanced persistent threat actors. Once inside, attackers can pivot laterally, escalate privileges, and exfiltrate sensitive data — all while evading multi-factor protections that administrators believed were in place.

Notably, the Fortinet advisory does not detail the specific threat actors or campaigns exploiting this flaw, but a string of related incidents over recent years — including ransomware operations and state-linked activity exploiting unpatched Fortinet devices — underscores the appeal of such weaknesses for opportunistic attackers.

Fortinet’s current guidance for mitigating CVE-2020-12812 focuses on two principal actions:

1. Upgrade to fixed FortiOS versions — e.g., 6.0.10+, 6.2.4+, or 6.4.1+ and later releases that eliminate the logic error.
2. Review and correct authentication configurations, ensuring that local user MFA and LDAP group policies are not combined in ways that trigger the fallback behaviour.

Additional hardening measures include:

• Disabling unnecessary SSL VPN services on internet-facing interfaces.
• Enforcing least-privilege access and segmentation around VPN and management interfaces.
• Monitoring logs for login attempts using case-variant usernames, which can signal malicious probing or exploitation attempts.

Security teams are also urged to subscribe to daily vulnerability reports from organisations like Shadowserver and ICAAN, and to perform routine vulnerability scanning and risk assessments across their defensive perimeter.

The persistence of CVE-2020-12812 on thousands of production systems highlights a broader issue in enterprise cybersecurity: patch fatigue and configuration complexity. Even when fixes are available for years, operational constraints, compatibility concerns, and inadequate monitoring often leave critical infrastructure exposed — with attackers quick to exploit such gaps. Continuous compliance monitoring and automated patch orchestration should be prioritised to reduce similar risks.

As firms grapple with ever-more sophisticated threats, legacy bugs like this one serve as a stark reminder that age alone does not diminish risk — and that vigilance in configuration and maintenance remains as crucial as ever.