CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability (CVE-2020-12812)

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Fortinet has reported active exploitation of a five-year-old vulnerability (CVE-2020-12812) in FortiOS SSL VPN, which allows attackers to bypass two-factor authentication (2FA) under specific configurations. The flaw, affecting certain setups with local and remote authentication methods, has been observed in the wild by multiple threat actors, including state-backed hackers. Fortinet has issued an advisory detailing the prerequisites for exploitation and recommended mitigations. The FBI and CISA have also warned about the exploitation of this vulnerability in ransomware attacks.

Timeline

  1. 29.12.2025 13:16 1 articles · 23h ago

    FBI and CISA Warn of State-Backed Exploitation of CVE-2020-12812

    In April 2021, the FBI and CISA warned that state-backed hackers were exploiting CVE-2020-12812 in FortiOS SSL VPN. In November 2021, CISA added the vulnerability to its catalog of known exploited vulnerabilities, tagging it as exploited in ransomware attacks and ordering federal agencies to secure their systems by May 2022.

    Show sources
    Open in new tab
  2. 25.12.2025 10:22 2 articles · 5d ago

    Fortinet Reports Active Exploitation of CVE-2020-12812 in FortiOS SSL VPN

    On December 24, 2025, Fortinet issued an advisory warning of active exploitation of CVE-2020-12812, a five-year-old vulnerability in FortiOS SSL VPN. The flaw allows attackers to bypass 2FA under certain configurations, and Fortinet has provided mitigations to address the issue. Fortinet observed recent abuse of the vulnerability in the wild based on specific configurations.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical FortiCloud SSO Authentication Bypass Vulnerabilities Patched

Fortinet has released updates to address two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allow attackers to bypass FortiCloud SSO authentication via maliciously crafted SAML messages. The vulnerabilities stem from improper verification of cryptographic signatures. The FortiCloud SSO login feature is not enabled by default but is activated upon FortiCare registration unless explicitly disabled by the administrator. Threat actors have begun exploiting these vulnerabilities in active attacks on FortiGate devices, using IP addresses associated with hosting providers to carry out malicious SSO logins and export device configurations. Attackers targeted admin accounts, accessed the web management interface, and downloaded system configuration files, which can expose network layouts, internet-facing services, firewall policies, potentially vulnerable interfaces, routing tables, and hashed passwords. Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, with more than 5,400 in the United States and nearly 2,000 in India. Organizations are advised to apply patches immediately, disable FortiCloud SSO until updates are applied, and limit access to management interfaces. CISA has added the FortiCloud SSO auth bypass flaw to its catalog of actively exploited vulnerabilities, ordering U.S. government agencies to patch within a week by December 23rd.

Open in new tab

Fortinet FortiWeb Vulnerabilities Exploited in the Wild

Fortinet has disclosed a new medium-severity vulnerability (CVE-2025-58034) in FortiWeb, which is being actively exploited. This vulnerability, with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. The flaw was patched in version 8.0.2. Additionally, Fortinet silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in the same version. Exploitation campaigns have been observed chaining these vulnerabilities to facilitate authentication bypass and command injection. Fortinet's handling of these disclosures has been criticized for its delayed and fragmented approach. This development highlights the ongoing risks associated with unpatched vulnerabilities in network security appliances and the importance of timely and transparent disclosure practices.

Open in new tab

Critical OS Command Injection Vulnerability in FortiSIEM (CVE-2025-25256) Exploited in the Wild

Fortinet has disclosed a critical OS command injection vulnerability in FortiSIEM, identified as CVE-2025-25256. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to execute unauthorized code or commands via crafted CLI requests. Exploit code for this vulnerability has been observed in the wild. Affected versions include FortiSIEM 6.1 through 6.7.9 and 7.0.0 through 7.3.1. Fortinet advises upgrading to the latest versions and limiting access to the phMonitor port (7900) as a workaround. Additionally, a Fortinet FortiWeb path traversal vulnerability is being actively exploited to create new administrative users on exposed devices without requiring authentication. The vulnerability was silently patched in FortiWeb version 8.0.2. The exploitation activity was first detected early last month, and Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed. Rapid7 observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. The watchTowr team has released an artifact generator tool for the authentication bypass to help identify susceptible devices.

Open in new tab