Fortinet claims to have seen "recent abuse" of a security vulnerability in FortiOS SSL VPN that dates back five years. CVE-2020-12812 (CVSS score: 5.2) is the vulnerability in question.

If the username is changed, it enables a user to successfully log in without being asked for the second authentication factor. In July 2020, Fortinet addressed the behavior by releasing FortiOS 6.0.10, 6.2.4, and 6.4.1.

It was listed by the U.S. government as one of the numerous vulnerabilities that were used as weapons in 2021 attacks against perimeter-type devices. Attacks have been documented, but Fortinet doesn't provide any details about the type of attacks or whether they were successful.

It is recommended that customers running FortiOS versions 6.0.13, 6-0.13-7.0-1, or later execute the following command.

FortiGate will treat jsmith, JSmith, JSMITH, and all possible combinations as identical when username-sensitivity is set to disabled. This will prevent failover to any other incorrectly configured LDAP group setting. If it is not necessary, it is worthwhile to think about eliminating the secondary LDAP Group as an additional mitigation.

Because Forti Gate treats usernames as case-sensitive while the LDAP Directory does not, if these requirements are met, the vulnerability causes LDAP users with 2FA configured to bypass the security layer and instead authenticate against LDAP directly. Consequently, the vulnerability can authenticate VPN users or administrators without 2FA. To avoid the authentication bypass problem, you can execute the following command for every local account if you haven't installed these FortiOS versions.

Regardless of any settings in the local user policy (2FA and disabled accounts), the user will fail authentication if they do not match a local entry.