Vulnerability Advisory/Mitigation Exploitation Wave

FortiGate SSL VPN 2FA bypass still under abuse

Updated 02.01.2026 18:01

Case score 66

Case score 66 Members 3 Latest activity 02.01.2026 18:01 Active exploitation Public PoC/exploit reported Patch/mitigation varies by member CVSS: 9.8 Critical

Active exploitation Public PoC/exploit reported Patch/mitigation varies by member CVSS: 9.8 Critical

Members 3 First seen 25.12.2025 10:22 Last seen 02.01.2026 18:01 Updated 02.01.2026 18:01

Overview

**FortiGate SSL VPN** exploitation tied to **CVE-2020-12812** is still active against deployments that combine local users, **LDAP**, and **FortiToken** 2FA. Attackers can change the username case to bypass the second factor, and Fortinet says more than **10,000** firewalls remain exposed, including more than **1,300** IPs in the **United States**. Fortinet's later advisory keeps the response focused on configuration hardening, disabling **username-case-sensitivity** or **username-sensitivity**, and resetting credentials where abuse is suspected.

Key facts

**CVE-2020-12812** is still being abused against **FortiGate SSL VPN** deployments that use LDAP-linked local users and **FortiToken** 2FA.
Changing the username case can bypass the second factor in the vulnerable login flow.
More than **10,000** firewalls remain exposed, including more than **1,300** IP addresses in the **United States**.
Fortinet fixed **FortiOS 6.4.1, 6.2.4, and 6.0.10** in **July 2020** and told admins who cannot patch to disable **username-case-sensitivity**.
The later advisory says admins should disable **username-sensitivity**, remove the secondary **LDAP group** if it is not needed, and reset credentials if abuse is suspected.

Signals

6 derived

Exploitation

Exploitation Active exploitation CVSS Exploit Public PoC/exploit reported

CVEs/products

CVE

Victims/regions

Victim region United States

Remediation

Member happenings

3 related

Vulnerability FortiGate SSL VPN active 2FA bypass (CVE-2020-12812)

Updated 02.01.2026 18:01 Lead Contribution 64

Exploitation Active Exploitation Exploit Public Exploit Data Status Exposed/Unsecured CVSS 9.8 Critical +1

**Fortinet** says **CVE-2020-12812** is still being **actively exploited**, leaving **over 10,000 Fortinet firewalls** exposed to a **2FA bypass** risk. The weakness affects **FortiGate SSL VPN** deployments that rely on **LDAP** and lets attackers log in without the second factor when the username case is changed. Fortinet already released fixes in **July 2020**, but unpatched systems remain vulnerable unless admins patch or disable **username-case-sensitivity**.

View happening

Exploitation Wave FortiGate firewalls CVE-2020-12812 active exploitation wave

Updated 29.12.2025 13:16 Scoring Support Contribution 1

Exploitation Active Exploitation Patch Patch Available

**FortiGate firewalls** with **LDAP-enabled** authentication paths are facing an **active exploitation wave** tied to **CVE-2020-12812**, a **2FA-bypass** flaw in **FortiOS**. Attackers can abuse the weakness to log in to **unpatched** systems without the second factor when the username case is changed. The activity matters because the vulnerable configuration remains exposed in real-world deployments and the abuse is still occurring **in the wild**.

View happening

Advisory/Mitigation FortiOS SSL VPN CVE-2020-12812 mitigation advisory

Updated 25.12.2025 10:22 Context

Exploitation Active Exploitation Urgency Immediate CVSS 5.2 Medium

Fortinet issued a **December 24, 2025** mitigation advisory for **CVE-2020-12812**, warning that certain **FortiOS SSL VPN** configurations can let **admin or VPN users** authenticate without **2FA**. The company told customers to disable **username sensitivity** or remove the secondary **LDAP group** path so login attempts cannot fall through to the bypass condition. If there is evidence of successful abuse, Fortinet also advised impacted customers to contact support and **reset all credentials**.

View happening