Over 10,000 Fortinet Firewalls Still Exposed to Five-Year-Old MFA Bypass Flaw

A Flaw That Lingers—Despite Being Known for Over Five Years

Look, here’s the thing: in early 2026, researchers and threat intel folks are still seeing over 10,000 Fortinet FortiGate firewalls out in the open—exposed to CVE-2020-12812. That’s a five-and-a-half-year-old flaw. Five years. And it’s still being used.

Fortinet and Shadowserver’s daily Vulnerable HTTP Report confirm it. Attackers are actively exploiting it in the wild. And it’s not just sitting there—this isn’t some dusty old bug buried under a mountain of patches. It’s being weaponized.

What’s wilder? It was found in 2020. Added to CISA’s Known Exploited Vulnerabilities list in 2021. And still? Thousands of organizations haven’t patched it.

We’re talking specific FortiOS versions—6.4.0, 6.2.0 through 6.2.3, and 6.0.9 and earlier. These are the ones still running in mission-critical systems. Hospitals. Banks. Government agencies. Places where a single login slip could mean a breach.

And the worst part? They’re not even supposed to be this vulnerable.

How the Bypass Works: A Case-Sensitivity Gap in Authentication

Let’s break this down.

When someone logs into a FortiGate SSL VPN, the system does two things: first, it checks if the user exists in a local account or in an external directory—like Active Directory. Then, if that’s valid, it kicks off MFA. That’s the standard. Two-factor. FortiToken. SMS codes. Something to prove you’re really who you say you are.

But here’s where it breaks.

FortiGate treats local usernames as case-sensitive. But Active Directory? It doesn’t. It sees “user” and “User” as the same person.

So what happens when a user is in a group that grants access to a VPN or admin tools? The system might authenticate them based on group membership—without asking for MFA.

And that’s exactly how attackers get in.

Change the capitalization. “user” to “User.” Boom. Access granted. No password guess. No brute force. Just a single character change. The system doesn’t even blink.

It’s not a hack. It’s a gap. A tiny, overlooked misstep in how the system handles identity.

A High-Risk Flaw with Real-World Consequences

This one’s got a CVSS v3.1 score of 7.5—High. That’s not just “maybe risky.” That’s “this can get you in deep trouble.”

Why? Because it’s easy. It’s accessible. And once inside, attackers can move laterally. Steal data. Set up backdoors. Even drop ransomware.

Late 2025, Fortinet issued a PSIRT advisory—FG-IR-19-283 update—warning of “recent abuse.” They specifically called out setups where local FortiGate users with MFA are linked to LDAP groups that give access to SSL VPN or admin policies.

That’s a common setup. Hybrid environments. But it’s also a perfect trap.

And it’s not new. Ransomware groups used this in 2021. They’re still using it.

So why hasn’t it been fixed?

Because people didn’t see it as a threat. Or they didn’t know it was still exploitable. Or they just didn’t patch.

The reality is, this isn’t just about one firewall. It’s about how long we let legacy systems sit in the dark.

Global Exposure: Where the Vulnerability Is Most Prevalent

Shadowserver’s scans have found over 10,000 exposed instances as of January 2026.

The U.S. leads with 1,300. Then Thailand (909), Taiwan (728), Japan (462), and China (462).

A world map shows clusters across North America, East Asia, and Europe.

This isn’t just one industry. It’s everywhere. Organizations that mix local accounts with Active Directory—without reviewing their configurations—end up in the crosshairs.

It’s not about being tech-savvy. It’s about doing the basics: checking what’s running, what’s exposed, and whether your access rules are actually secure.

What Organizations Should Do Now

Fortinet says upgrade to fixed versions: FortiOS 6.0.10 or later, 6.2.4 or later, and 6.4.1 or later. That’s the fix.

But patching isn’t enough.

You’ve got to look at how your authentication works. Are you linking local users to LDAP groups that give access to admin or VPN tools? If so, that’s a red flag.

Simple steps: disable unused SSL VPN services. Enforce least privilege. Watch logs for logins that look off—especially ones with “User” instead of “user.”

And don’t stop there. Subscribe to Shadowserver’s daily reports. They’ll alert you when a new firewall goes live and is exposed. Run regular scans. Find the gaps before someone else does.

A Wake-Up Call for Enterprise Security

This isn’t just about one flaw. It’s a mirror.

Five years after it was found, it’s still being used. Why? Because patching isn’t automatic. It’s not top of mind.

Legacy systems get ignored. They’re seen as “working.” But they’re not. They’re just waiting for someone to make a small mistake.

And that mistake? It’s not complicated. It’s just changing a letter.

For security pros, this is a reminder: don’t assume things are safe because they’ve been around for years. Don’t trust the default settings. Don’t skip configuration reviews.

The smallest gap—like case sensitivity—can open the door to a full breach.

And if you’re not watching, someone else will be.

Over 10,000 Fortinet Firewalls Still Exposed to Five-Year-Old MFA Bypass Flaw