Cybersecurity experts have issued a renewed warning that more than 10,000 Fortinet firewalls remain exposed online and vulnerable to a five-year-old two-factor authentication (2FA) bypass flaw, underscoring how legacy security gaps continue to pose modern risks. The vulnerability, tracked as CVE-2020-12812, carries a critical severity score of 9.8 out of 10 and is still being actively exploited in the wild.
The flaw affects FortiGate SSL VPN deployments and allows attackers to bypass FortiToken-based 2FA simply by manipulating the case sensitivity of usernames during authentication. Although Fortinet released patches as early as July 2020—through FortiOS versions 6.4.1, 6.2.4, and 6.0.10—large numbers of devices remain unpatched or improperly configured.
Fortinet had also advised administrators unable to immediately upgrade to disable username case sensitivity as a temporary mitigation. However, the continued exposure suggests that this guidance was either overlooked or never implemented across many environments.
Persistent exposure, years after disclosure
According to global internet monitoring group Shadowserver, more than 10,000 Fortinet devices are still vulnerable to CVE-2020-12812. Of these, over 1,300 exposed IP addresses are located in the United States, with the remainder spread across Europe, Asia, and parts of Latin America.
The issue first gained wider attention in 2021, when Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that state-sponsored threat actors were actively exploiting Fortinet vulnerabilities, including this 2FA bypass. Seven months later, CISA added CVE-2020-12812 to its Known Exploited Vulnerabilities (KEV) catalog, mandating U.S. federal agencies to remediate affected systems by May 2022.
Despite these high-level advisories, the vulnerability has proven remarkably persistent—largely due to exposed VPN interfaces, delayed patch cycles, and misconfigured authentication environments.
Fortinet devices remain high-value targets
Security analysts note that Fortinet products continue to attract sustained interest from both criminal and nation-state actors. In December 2025, threat intelligence firm Arctic Wolf reported active exploitation of a newer Fortinet authentication bypass flaw (CVE-2025-59718), which allowed attackers to hijack administrative accounts via malicious single sign-on (SSO) attempts.
Earlier in January 2025, Fortinet disclosed two FortiWeb zero-day vulnerabilities—CVE-2025-58034 and CVE-2025-64446—that were actively exploited in widespread campaigns, with at least one patch deployed silently before public disclosure.
In another high-profile incident, the Chinese state-linked threat group Volt Typhoon exploited FortiOS flaws (CVE-2023-27997 and CVE-2022-42475) to implant the Coathanger remote access trojan inside the Dutch Ministry of Defence network, highlighting the strategic risks tied to firewall compromise.
Why old vulnerabilities still matter
Experts say CVE-2020-12812 is a textbook example of “security debt”—where unresolved or forgotten vulnerabilities resurface as active threats years later. Because VPN gateways sit at the perimeter of enterprise networks, successful exploitation can provide attackers with initial access, often leading to lateral movement, credential theft, and full network compromise.
The persistence of this flaw also reflects broader challenges: legacy infrastructure, operational downtime concerns, and lack of visibility into exposed services—particularly in environments using LDAP-based authentication, where the bug is most commonly abused.
What organizations should do now
Cybersecurity professionals strongly recommend that administrators:
- immediately upgrade FortiOS to the latest supported version
- disable username case sensitivity if patching is delayed
- closely monitor SSL VPN and LDAP-enabled firewall instances
- audit administrative accounts and 2FA configurations regularly
- deploy centralized logging and alerting for anomalous access attempts
Consistent patch management and configuration hardening, experts stress, remain the most effective defenses against both old and emerging threats.
Five years after its disclosure, CVE-2020-12812 continues to put thousands of organizations at risk—demonstrating that in cybersecurity, age does not equal irrelevance. As attackers increasingly blend old vulnerabilities with new techniques, neglected patches can become the weakest link in otherwise modern defenses.
For firewall and network administrators, the message is unambiguous: legacy flaws demand immediate attention, because the consequences of ignoring them grow more dangerous with time—not less.
