Fortinet warns of active exploitation of 2FA Bypass flaw in FortiGate devices
Take action: If you are using FortiGate devices, check whether you are using LDAP authentication and whether the devices are patched. If you are using LDAP authentication and have not patched since 2020, immediately configure `username-sensitivity disable`. Then check your logs for suspicious logins with username case variations (like 'JSmith' vs 'jsmith'). Finally, patch your devices.
Learn More
Fortinet is reporting active exlploitation of a 5 year old critical authentication bypass vulnerability.
The flaw is tracked as CVE-2020-12812 (CVSS score 9.8), which was originally patched in July 2020. The vulnerability affects FortiGate devices configured with LDAP authentication settings and enables attackers to bypass two-factor authentication protections.
FortiGate treats usernames as case-sensitive by default but the LDAP Directory does not, creating a mismatch that allows authentication bypass in specific configurations. For the issue to be exploitable, organizations must have local user entries on the FortiGate with two-factor authentication enabled that reference back to LDAP, with those same users being members of groups on the LDAP server such as "Domain Users" or "Helpdesk." At least one LDAP group that the two-factor users are members of must be configured on FortiGate and used in an authentication policy, which could include administrative users or SSL/IPSEC VPN access.
When the prerequisites are present, attackers can log in with any case variation of a valid username that doesn't exactly match the local user entry, such as using "JSmith" instead of "jsmith," causing FortiGate to fail matching against the local user and instead authenticate directly against the LDAP server, completely bypassing two-factor authentication requirements.
Fortinet originally introduced mitigation configuration options in FortiOS versions 6.0.10, 6.2.4, and 6.4.1 as part of the FG-IR-19-283 advisory published in July 2020. Organizations that have not yet applied these versions should immediately configure all local accounts with the setting set username-case-sensitivity disable or, on more recent versions including v6.0.13, v6.2.10, v6.4.7, v7.0.1 and above, use the command set username-sensitivity disable.
With username-sensitivity set to disabled, FortiGate will treat all case variations of a username (such as jsmith, JSmith, JSMITH) as identical, preventing failover to misconfigured LDAP group settings. As an additional mitigation measure, administrators should remove any secondary LDAP groups that are not required for authentication purposes.
Administrators should check which authentication policies are configured on their systems and review logs for any suspicious authentication patterns, especially for successful logins using username variations that do not match local user entries exactly. Fortinet strongly recommends that organizations contact their support team if they believe they have been impacted by this vulnerability, as professional assistance may be needed to properly assess the extent of any compromise.
Update - as of 3rd of January 2026, the Shadowserver foundation reported it's tracking over 10,000 Fortinet firewalls exposed on the Internet that are not patched against CVE-2020-12812.
