Fortinet warns that a five-year-old FortiOS vulnerability, CVE-2020-12812, is being actively exploited to bypass two-factor authentication on SSL VPN connections under specific configurations.

An advisory issued December 24, 2025, confirms ongoing exploitation of CVE-2020-12812 in FortiOS SSL VPNs with particular configuration settings.

Fortinet reiterates that renewed exploitation targets settings where local 2FA users are linked to LDAP groups and an LDAP-backed authentication policy is used, exploiting case-sensitivity mismatches.

Fortinet does not disclose ongoing attack specifics; impacted customers should contact Fortinet Support and monitor for admin or VPN logins without 2FA.

Security outlets like SecurityAffairs are cited for background and ongoing threat context.

Mitigation includes removing unnecessary secondary LDAP groups and resetting credentials if unauthorized 2FA access is suspected, with emphasis on disabling or removing nonessential LDAP groups.

Fortinet also advises ensuring username sensitivity settings are properly configured to prevent token bypass due to misconfigurations.

Organizations that have not installed the patch remain at significant risk given the vulnerability’s age and continued exploitation.

The advisory notes prior exploitation by ransomware groups and state actors and points readers to Fortinet’s PSIRT blog for detailed guidance.

Fortinet released patches in mid-2020 for FortiOS versions with the vulnerability rated highly severe, emphasizing the need to update.

Patched FortiOS versions 6.0.10, 6.2.4, and 6.4.1 released in July 2020; updates include mitigations such as setting username-case-sensitivity to disable where appropriate.

Federal alerts from FBI and CISA in 2021 highlighted attacks exploiting CVE-2020-12812, with subsequent advisories underscoring the top vulnerabilities exploited in 2020.