FortiGate SSL VPN active 2FA bypass (CVE-2020-12812)
Vulnerability
Summary
Hide ▲
Show ▼
Fortinet says CVE-2020-12812 is still being actively exploited, leaving over 10,000 Fortinet firewalls exposed to a 2FA bypass risk. The weakness affects FortiGate SSL VPN deployments that rely on LDAP and lets attackers log in without the second factor when the username case is changed. Fortinet already released fixes in July 2020, but unpatched systems remain vulnerable unless admins patch or disable username-case-sensitivity.
Cases
Related Happenings
FortiBleed Fortinet/FortiGate VPN credential leak
Data Leak
H score80
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
**FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
FortiBleed Fortinet/FortiGate VPN credential leak
Data LeakAbout this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
Latest development: 19.06.2026 09:47
CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.
Fortinet FortiSandbox multi-CVE exploitation wave
Exploitation Wave
H score49
First: 16.06.2026 12:19
Last: 16.06.2026 12:19
Sources 1
About this happening:
**Fortinet FortiSandbox** is facing an **active exploitation wave** that puts **affected deployments** at risk of **unauthenticated remote code execution** and **privilege escalat...
Fortinet FortiSandbox multi-CVE exploitation wave
Exploitation WaveAbout this happening: **Fortinet FortiSandbox** is facing an **active exploitation wave** that puts **affected deployments** at risk of **unauthenticated remote code execution** and **privilege escalat...
FortiClient EMS CVE-2026-35616 exploitation wave
Exploitation Wave
H score56
First: 28.05.2026 18:26
Last: 28.05.2026 18:26
Sources 1
About this happening:
**CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...
FortiClient EMS CVE-2026-35616 exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...
FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers
Campaign
H score44
First: 10.03.2026 18:21
Last: 10.03.2026 18:21
Sources 1
About this happening:
A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...
FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers
CampaignAbout this happening: A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...
CyberStrikeAI observed on attacker infrastructure supporting FortiGate attack automation
Security Tool/Service
H score22
First: 03.03.2026 02:06
Last: 03.03.2026 02:06
Sources 1
About this happening:
**CyberStrikeAI** was observed on **attacker infrastructure** supporting a live **Fortinet FortiGate** attack campaign, showing the platform can be repurposed for offensive automa...
CyberStrikeAI observed on attacker infrastructure supporting FortiGate attack automation
Security Tool/ServiceAbout this happening: **CyberStrikeAI** was observed on **attacker infrastructure** supporting a live **Fortinet FortiGate** attack campaign, showing the platform can be repurposed for offensive automa...
Timeline
-
02.01.2026 18:01 3 articles · 6mo ago
FortiGate SSL VPN active 2FA bypass (CVE-2020-12812)
Initial DisclosureFortinet originally patched **CVE-2020-12812** in **July 2020** and recommended disabling **username-case-sensitivity** as a workaround for systems that could not be updated right away. The event reappeared in **January 2026** when Fortinet warned that attackers were still exploiting the flaw in vulnerable **FortiGate SSL VPN** configurations.
Show sources
- Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass — www.bleepingcomputer.com — 02.01.2026 18:01
- Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass — www.bleepingcomputer.com — 02.01.2026 18:01
- Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks — www.bleepingcomputer.com — 29.12.2025 13:16