Over 10,000 Fortinet Firewalls Exposed to 2FA Bypass: Why This “Old” Vulnerability Is a New Threat

Security researchers are reporting renewed active exploitation of a long-known Fortinet SSL VPN vulnerability that allows attackers to bypass two-factor authentication (2FA) entirely. Despite patches being available since 2020, current telemetry indicates that over 10,000 Fortinet firewalls remain exposed, including more than 1,300 in the United States alone. 

This vulnerability—CVE-2020-12812 (FG-IR-19-283) is not new. What is new is the scale at which threat actors are once again scanning for and exploiting it, signaling a likely increase in activity as we move into early 2026. 

What Is CVE-2020-12812? 

CVE-2020-12812 is a critical authentication bypass vulnerability affecting FortiOS SSL VPN configurations that rely on LDAP authentication with FortiToken-based 2FA. 

The flaw stems from a case-sensitivity mismatch: 

• FortiGate treats usernames as case-sensitive 

• LDAP directories treat usernames as case-insensitive 

An attacker can authenticate using a legitimate username with altered capitalization (for example, JSmith instead of jsmith). This causes FortiGate to fail over to a secondary LDAP authentication path that does not enforce 2FA, granting access with only a password. 

The result is a complete bypass of perimeter multi-factor authentication. 

Why This Is Especially Dangerous 

This vulnerability is considered low-effort and high-impact for attackers: 

• No exploit code required 

• No memory corruption or crash artifacts 

• No brute force or credential stuffing noise 

• Login activity often appears legitimate in logs 

Because attackers are using valid credentials, detection is extremely difficult without deep authentication monitoring and correlation. 

The vulnerability carries a CVSS score of 9.8, reflecting both its ease of exploitation and the severity of impact. 

Who Is Exploiting This Vulnerability? 

While no single threat actor has been publicly attributed to the latest wave of exploitation, this flaw has historically been used by: 

• Ransomware groups such as Hive and Play 

• State-aligned threat groups including APT35, Charming Kitten, Phosphorous, Cobalt Illusion, and Imperial Kitten 

The renewed interest strongly suggests that attackers are re-scanning for “forgotten” perimeter vulnerabilities, betting that legacy configurations, migrations, or newly deployed devices were never fully remediated. 

Why This Is Likely to Escalate in 2026 

This resurgence highlights a broader trend Alvaka sees repeatedly during incident response engagements, N-day vulnerabilities are often more dangerous than zero-days. 

Older vulnerabilities: 

• Are well understood by attackers 

• Have reliable exploitation paths 

• Exist on systems assumed to be “already patched” 

• Often resurface after staff turnover, firewall replacements, or rushed deployments 

As organizations focus on new threats, attackers return to the ones that were never fully closed. 

How Organizations Should Respond Immediately 

Fortinet introduced mitigations for this issue as far back as July 2020, including updates in: 

• FortiOS 6.0.10 

• FortiOS 6.2.4 

• FortiOS 6.4.1 and later 

Organizations should immediately: 

• Verify FortiOS versions and confirm the mitigation is actively enabled 

• Disable username case sensitivity in affected configurations 

• Review and remove unnecessary secondary LDAP authentication groups 

• Audit SSL VPN access logs for abnormal login behavior 

• Reset credentials associated with VPN and directory authentication 

• Treat any confirmed bypass as a full perimeter compromise 

Fortinet explicitly advises that any observed authentication bypass should be considered a total configuration compromise, requiring full credential resets. 

Signs Your Environment May Be at Risk 

Common indicators associated with exploitation include: 

• Successful VPN logins without 2FA prompts 

• Authentication events that differ only by username capitalization 

• Unexpected VPN access from new geolocations 

• Lateral movement shortly after VPN login 

• Subsequent deployment of ransomware or data exfiltration tools 

If these indicators are present, assume active compromise. 

How Alvaka Helps 

Alvaka provides 24×7×365 incident response and recovery services for organizations impacted by perimeter security failures, including Fortinet SSL VPN exploitation. 

Our response services include: 

• Immediate containment and attacker ejection 

• Firewall and VPN configuration forensics 

• Credential and directory security remediation 

• Ransomware containment and recovery 

• Post-incident hardening to prevent re-entry 

Our focus is not just restoring access, but ensuring attackers cannot regain it. 

The renewed exploitation of CVE-2020-12812 is a reminder that security debt compounds over time. Vulnerabilities do not expire simply because patches exist. If perimeter controls are misconfigured—or assumptions go unverified—attackers will find their way back in. 

Organizations relying on Fortinet SSL VPN should treat this advisory as a call to action, not a historical footnote.