More than 10,000 Internet-exposed Fortinet FortiGate firewalls are still vulnerable to CVE-2020-12812, a critical flaw in FortiOS’s SSL VPN that attackers are actively exploiting to bypass two-factor authentication (2FA). Even though Fortinet released fixes back in July 2020, many devices remain unpatched or are running configurations that are still susceptible. The bypass works in a surprisingly simple way: an attacker can log in without being prompted for the second factor (FortiToken) by changing the letter case of the username (for example, “JSmith” instead of “jsmith”). Shadowserver reported it is tracking over 10,000 exposed vulnerable systems, including 1,300+ in the United States.

Fortinet’s own analysis stresses that exploitation typically depends on specific LDAP-related setups: if the FortiGate treats usernames as case-sensitive but the organization’s LDAP directory does not, a mismatched-case login can “miss” the local 2FA user entry and fall back to LDAP group authentication—allowing access without 2FA in some policy designs. The practical takeaway is straightforward: patch to fixed FortiOS versions and/or apply Fortinet’s mitigation to disable username case sensitivity (and remove unnecessary secondary LDAP group fallbacks). The issue is serious enough that it has been listed as known exploited in U.S. government prioritization guidance (KEV), which is commonly used by organizations to drive urgent remediation.

Source: https://www.bleepingcomputer.com/news/security/over-10-000-fortinet-firewalls-exposed-to-ongoing-2fa-bypass-attacks/