Fortinet has reported active abuse of a long-standing security vulnerability in FortiOS SSL VPN that allows bypassing two-factor authentication (2FA) under specific configurations. The flaw, tracked as CVE-2020-12812 with a CVSS score of 5.2, arises due to improper authentication handling that lets users log in without being prompted for the second authentication factor if the username’s case is altered.
Fortinet originally identified this vulnerability in July 2020, noting that it occurs when 2FA is enabled for local users while the authentication type is set to a remote method, such as LDAP. The issue stems from inconsistent case-sensitive matching between local and remote authentication systems.
Recent advisories highlight that multiple threat actors are actively exploiting this vulnerability, which has previously been noted by the U.S. government as a risk in attacks targeting perimeter devices in 2021.
For successful exploitation, the following configuration must exist:
- Local user accounts with 2FA enabled, linked to LDAP
- These users must belong to a group on the LDAP server
- At least one LDAP group containing 2FA users must be configured on FortiGate and included in an authentication policy
If these conditions are met, users with 2FA enabled may bypass the FortiGate security layer and authenticate directly via LDAP. This occurs because FortiGate treats usernames as case-sensitive while LDAP does not, allowing login variations such as “Jsmith,” “jSmith,” or “JSmiTh” to bypass local authentication.
Fortinet explained that in such cases, FortiGate searches secondary authentication options, checking other configured firewall policies and LDAP groups. If valid LDAP credentials are provided, login succeeds regardless of local user 2FA settings. This flaw can potentially allow admin or VPN users to authenticate without 2FA.
Fortinet addressed the issue in FortiOS versions 6.0.10, 6.2.4, and 6.4.1. Organizations using older versions can disable case sensitivity for usernames with the command:
set username-case-sensitivity disable
For customers on FortiOS 6.0.13, 6.2.10, 6.4.7, 7.0.1, or later, the recommended command is:
set username-sensitivity disable
Disabling username sensitivity ensures FortiGate treats all variations of a username as identical, preventing unintended LDAP authentication bypass. Fortinet also recommends removing secondary LDAP groups if unnecessary, as this eliminates the attack vector entirely. Impacted customers should contact support and reset credentials if any users were authenticated without 2FA.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
