Imagine this: a critical security flaw, lurking in your network for years, silently allowing attackers to bypass your two-factor authentication (2FA) defenses. Sounds like a nightmare, right? Well, that's exactly what's happening with a 5-year-old FortiOS vulnerability, CVE-2020-12812, which Fortinet recently warned is still being actively exploited in the wild.
This isn't just a theoretical threat; it's a real and present danger. Fortinet, the cybersecurity giant, has issued a stark reminder that threat actors are targeting vulnerable FortiGate firewalls, leveraging this flaw to gain unauthorized access. But here's where it gets controversial: despite a patch being available since July 2020, many organizations remain exposed. Why?
The vulnerability, tracked as CVE-2020-12812, stems from an improper authentication issue in FortiGate SSL VPN. Attackers can exploit it by manipulating the case of a username, tricking the system into granting access without requiring the second factor of authentication (typically a FortiToken). Fortinet explained in 2020 that this occurs when 2FA is enabled in the 'user local' setting, and the authentication method is set to a remote protocol like LDAP. The root cause? Inconsistent case sensitivity between local and remote authentication processes.
Fortinet released patches (FortiOS versions 6.4.1, 6.2.4, and 6.0.10) in July 2020 to address this flaw. For those unable to deploy the update, the company advised disabling username-case-sensitivity as a temporary workaround. However, the persistence of attacks suggests many organizations have yet to take action.
Last week, Fortinet reiterated the threat, emphasizing that attackers are specifically targeting firewalls with LDAP enabled. To be vulnerable, an organization must meet specific criteria: local user entries on the FortiGate must require 2FA and be linked to LDAP, and these users must belong to an LDAP group configured on the FortiGate.
But this is the part most people miss: Fortinet highlights that misconfiguration of a secondary LDAP group often exacerbates the issue. If a secondary LDAP group isn't necessary, it should be removed. Without any LDAP groups, authentication via LDAP becomes impossible, effectively blocking this attack vector.
The gravity of this vulnerability was underscored in April 2021 when the FBI and CISA warned of state-backed hackers exploiting CVE-2020-12812, among other vulnerabilities, to bypass 2FA. Seven months later, CISA added it to its catalog of known exploited vulnerabilities, mandating federal agencies to secure their systems by May 2022.
Fortinet’s vulnerabilities are no strangers to exploitation, often as zero-day flaws. For instance, in November, the company warned of an actively exploited FortiWeb zero-day (CVE-2025-58034), just a week after confirming a silent patch for another FortiWeb zero-day (CVE-2025-64446) that had been abused in widespread attacks.
This raises a critical question: Why are so many organizations still vulnerable to known, patched vulnerabilities? Is it a lack of awareness, resource constraints, or something else entirely?
And here’s where it gets even more thought-provoking: Broken Identity and Access Management (IAM) isn’t just an IT problem—its impact ripples across the entire business. Traditional IAM practices often fail to keep pace with modern demands, leaving organizations exposed. For example, companies like Bitpanda, KnowBe4, and PathAI have demonstrated the importance of breaking down IAM silos to achieve greater agility and security.
A practical guide to modern IAM emphasizes the need for scalable strategies, highlighting what “good” IAM looks like and providing a simple checklist for implementation. The key takeaway? Proactive security measures and robust IAM practices are no longer optional—they’re essential.
So, what’s your take? Are organizations doing enough to address known vulnerabilities like CVE-2020-12812? Or is the cybersecurity community falling behind in the face of evolving threats? Let’s spark a conversation in the comments below!
