Over 10,000 Fortinet Firewalls Exposed to Active 2FA Bypass Exploitation

What happened

Over 10,000 Fortinet firewalls are exposed to active exploitation of a 2FA bypass vulnerability that allows attackers to circumvent two-factor authentication and gain unauthorized access to SSL VPNs on unpatched devices. The issue stems from a five-year-old flaw (CVE-2020-12812) in FortiOS that, under certain configurations, lets threat actors log in without completing the second authentication factor by altering the case of the username. Fortinet has previously released patches for this flaw, but many internet-facing firewalls remain unpatched and vulnerable. 

Who is affected

Organizations using Fortinet FortiGate firewalls with vulnerable FortiOS versions that are still exposed on the internet are at risk. These include devices with SSL VPN configurations that rely on two-factor authentication in conjunction with LDAP where the username case-sensitivity issue exists. Security trackers report more than 10,000 such devices remain unpatched worldwide, with hundreds in the United States alone. Attackers exploiting this flaw can gain remote access as authenticated users without triggering MFA prompts. 

Why CISOs should care

CISOs must treat this as a significant perimeter security risk: it negates the protection normally provided by two-factor authentication and opens remote access paths that attackers can abuse with valid credentials obtained through phishing or credential-stuffing attacks. Long-known and patchable vulnerabilities like CVE-2020-12812 lingering in production environments highlight gaps in patch management and configuration hygiene that adversaries are actively exploiting. The exposure of critical firewall infrastructure undermines network trust boundaries and increases the likelihood of deeper compromise and data breach. 

3 practical actions

1. Patch and update FortiOS: Immediately inventory and update all Fortinet firewalls to firmware versions that address CVE-2020-12812. Ensure that SSL VPN and authentication modules are running patched releases. 
2. Audit 2FA and authentication configurations: Review VPN access policies, especially LDAP integrations and username case sensitivity settings. Disable features that could allow bypass conditions and enforce strict MFA validation. 
3. Reduce exposure of management interfaces: Limit public internet exposure of firewall management and VPN endpoints. Use network segmentation, access control lists, and VPN-only access to reduce the attack surface of perimeter devices.