CVE-2020-12812
CVE-2020-12812
In short
A flaw in Fortinet's SSL VPN allows users to bypass two-factor authentication by simply changing the case (uppercase/lowercase) of their username. This is critical because it lets attackers gain unauthorized access to protected networks without needing the second authentication factor.
Technical detail
An improper authentication vulnerability exists in FortiOS SSL VPN where case-sensitive username validation is not properly enforced during second-factor authentication checks. An unauthenticated attacker can bypass FortiToken requirement by submitting credentials with altered username case, completely circumventing the multi-factor authentication mechanism.
Summary generated and translated by AI from the official description.
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · Fortinet FortiOSWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →