“`html
More than 10,000 Fortinet firewalls globally remain exposed to CVE-2020-12812, a vulnerability allowing bypass of multi-factor authentication (MFA) identified over five and a half years ago.
Recently, Shadowserver incorporated the issue into its daily Vulnerable HTTP Report, emphasizing ongoing exposure amid confirmed active exploitation acknowledged by Fortinet in late 2025.
CVE-2020-12812 arises from inadequate authentication in FortiOS SSL VPN portals, impacting versions 6.4.0, 6.2.0 to 6.2.3, along with 6.0.9 and previous releases. Malicious actors can circumvent the second authentication factor, usually FortiToken, simply by modifying the case of a valid username, such as changing “user” to “User” during the login process.
This situation is due to inconsistent case sensitivity: FortiGate recognizes local usernames as case-sensitive, whereas LDAP servers (like Active Directory) frequently disregard case, permitting authentication via group membership without requiring MFA.
The flaw is assigned a CVSS v3.1 base score of 7.5 (High), characterized by network accessibility, low complexity, and potential impacts on confidentiality, integrity, and availability. It was recorded in CISA’s Known Exploited Vulnerabilities catalog in 2021 following its exploitation by ransomware groups.
In December 2025, Fortinet released a PSIRT advisory (FG-IR-19-283 update) detailing “recent exploitation” of the flaw in operational environments, related to particular configurations: local FortiGate users with MFA activated, associated with LDAP, and comprising LDAP groups mapped to authentication policies for SSL VPN, IPsec, or administrative access. Cyber adversaries exploited this vulnerability to gain unauthorized access within internal networks, prompting Fortinet to recommend immediate assessments and patches.
Shadowserver’s scans authenticate the persistence of the vulnerability, examining exposed ports for vulnerable HTTP services.
According to Shadowserver’s dashboard, over 10,000 vulnerable instances were detected as of early January 2026. The United States leads with 1.3K exposed firewalls, followed by Thailand (909), Taiwan (728), Japan (462), and China (462).
A global map visualization illustrates dense clusters in North America, East Asia, and Europe, with lower exposure noted in Africa and certain regions of South America.
| Top Countries | Vulnerable Count |
|---|---|
| United States | 1.3K |
| Thailand | 909 |
| Taiwan | 728 |
| Japan | 462 |
| China | 462 |
Fortinet advises upgrading to patched FortiOS versions (6.0.10+, 6.2.4+, 6.4.1+) and reviewing configurations to eliminate hybrid local-LDAP MFA configurations.
Shut down unnecessary SSL VPN exposure, enforce least privilege policies, and monitor logs for case-altered login attempts. Organizations should subscribe to Shadowserver reports for customized alerts and conduct timely Vulnerable HTTP scans.
This ongoing threat highlights the dangers posed by legacy vulnerabilities in enterprise firewalls, which can facilitate ransomware attacks or lateral movements within compromised networks.
“`