Over 10,000 Fortinet firewalls worldwide remain vulnerable to CVE-2020-12812, a multi-factor authentication (MFA) bypass flaw disclosed over five and a half years ago.
Shadowserver recently added the issue to its daily Vulnerable HTTP Report, highlighting persistent exposure amid active exploitation confirmed by Fortinet in late 2025.
CVE-2020-12812 stems from improper authentication in FortiOS SSL VPN portals, affecting versions 6.4.0, 6.2.0 through 6.2.3, and 6.0.9 and earlier. Attackers can bypass the second authentication factor, typically FortiToken, by simply altering the case of a legitimate username, such as changing “user” to “User,” during login.
This occurs due to mismatched case sensitivity: FortiGate treats local usernames as case-sensitive, while LDAP servers (like Active Directory) often ignore case, allowing authentication via group membership without prompting for MFA.
The flaw carries a CVSS v3.1 base score of 7.5 (High), with network accessibility, low complexity, and potential for confidentiality, integrity, and availability impacts. It was added to CISA’s Known Exploited Vulnerabilities catalog in 2021 after ransomware actors leveraged it.
In December 2025, Fortinet issued a PSIRT advisory (FG-IR-19-283 update) detailing “recent abuse” of the vulnerability in the wild, tied to specific configurations: local FortiGate users with MFA enabled, linked to LDAP, and belonging to LDAP groups mapped to authentication policies for SSL VPN, IPsec, or admin access. Threat actors exploited this to gain unauthorized internal network access, prompting Fortinet to urge immediate checks and patches.
Shadowserver’s scans confirm the flaw’s persistence, scanning for vulnerable HTTP services on exposed ports.
Shadowserver’s dashboard reveals over 10,000 vulnerable instances as of early January 2026. The United States dominates with 1.3K exposed firewalls, followed by Thailand (909), Taiwan (728), Japan (462), and China (462).
A world map visualization shows dense clusters in North America, East Asia, and Europe, with lighter exposure in Africa and parts of South America.
| Top Countries | Vulnerable Count |
|---|---|
| United States | 1.3K |
| Thailand | 909 |
| Taiwan | 728 |
| Japan | 462 |
| China | 462 |
Fortinet recommends upgrading to fixed FortiOS versions (6.0.10+, 6.2.4+, 6.4.1+) and verifying configurations to avoid hybrid local-LDAP MFA setups.
Disable unnecessary SSL VPN exposure, enforce least privilege, and monitor logs for case-variant login attempts. Organizations should subscribe to Shadowserver reports for tailored alerts and run their Vulnerable HTTP scans promptly.
This ongoing threat underscores the risks posed by legacy vulnerabilities in enterprise firewalls, which can enable ransomware or lateral movement within breached networks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
